From 1ae2d00ab68b20281e197bf087f3d9a65817c6b8 Mon Sep 17 00:00:00 2001 From: Shahzad Date: Wed, 15 Jan 2020 04:51:17 +0100 Subject: [PATCH 01/10] [Uptime] Feature/refactor context initialization (#54494) * update refactor * refactor context initilization * rename values * fix tests Co-authored-by: Justin Kambic --- .../monitor_charts.test.tsx.snap | 259 +++++++++---- .../uptime_date_picker.test.tsx.snap | 194 +++------- .../__tests__/monitor_charts.test.tsx | 25 +- .../__tests__/uptime_date_picker.test.tsx | 10 +- .../functional/charts/donut_chart.tsx | 4 +- .../functional/charts/donut_chart_legend.tsx | 4 +- .../functional/charts/snapshot_histogram.tsx | 4 +- .../filter_status_button.test.tsx.snap | 67 +++- .../__tests__/filter_status_button.test.tsx | 3 +- .../location_map/embeddables/embedded_map.tsx | 4 +- .../location_map/location_status_tags.tsx | 6 +- .../monitor_list_drawer.test.tsx.snap | 332 +++++++++-------- .../__tests__/monitor_list_drawer.test.tsx | 49 ++- .../monitor_status_row.tsx | 4 +- .../functional/uptime_date_picker.tsx | 9 +- .../plugins/uptime/public/contexts/index.ts | 9 +- .../public/contexts/uptime_refresh_context.ts | 27 -- .../contexts/uptime_refresh_context.tsx | 39 ++ .../contexts/uptime_settings_context.ts | 70 ---- .../contexts/uptime_settings_context.tsx | 56 +++ .../public/contexts/uptime_theme_context.tsx | 65 ++++ .../use_url_params.test.tsx.snap | 346 ++++++++++++++++-- .../hooks/__tests__/use_url_params.test.tsx | 102 +++--- .../uptime/public/hooks/use_url_params.ts | 17 +- .../public/lib/helper/render_with_router.tsx | 21 ++ .../legacy/plugins/uptime/public/lib/index.ts | 7 + .../plugins/uptime/public/pages/monitor.tsx | 5 +- .../plugins/uptime/public/pages/overview.tsx | 4 +- .../uptime/public/pages/page_header.tsx | 10 +- .../plugins/uptime/public/uptime_app.tsx | 140 ++----- 30 files changed, 1128 insertions(+), 764 deletions(-) delete mode 100644 x-pack/legacy/plugins/uptime/public/contexts/uptime_refresh_context.ts create mode 100644 x-pack/legacy/plugins/uptime/public/contexts/uptime_refresh_context.tsx delete mode 100644 x-pack/legacy/plugins/uptime/public/contexts/uptime_settings_context.ts create mode 100644 x-pack/legacy/plugins/uptime/public/contexts/uptime_settings_context.tsx create mode 100644 x-pack/legacy/plugins/uptime/public/contexts/uptime_theme_context.tsx create mode 100644 x-pack/legacy/plugins/uptime/public/lib/helper/render_with_router.tsx create mode 100644 x-pack/legacy/plugins/uptime/public/lib/index.ts diff --git a/x-pack/legacy/plugins/uptime/public/components/functional/__tests__/__snapshots__/monitor_charts.test.tsx.snap b/x-pack/legacy/plugins/uptime/public/components/functional/__tests__/__snapshots__/monitor_charts.test.tsx.snap index 511485e70d0dc5..f6846dfb1164da 100644 --- a/x-pack/legacy/plugins/uptime/public/components/functional/__tests__/__snapshots__/monitor_charts.test.tsx.snap +++ b/x-pack/legacy/plugins/uptime/public/components/functional/__tests__/__snapshots__/monitor_charts.test.tsx.snap @@ -1,81 +1,192 @@ // Jest Snapshot v1, https://goo.gl/fbAQLP exports[`MonitorCharts component renders the component without errors 1`] = ` - - - + - - - - - + } + dateRangeEnd="2011-12-03T10:15:30+01:00" + dateRangeStart="2011-12-03T10:15:30+01:00" + loading={false} + mean="mean" + monitorId="something" + range="range" + success="success" + /> + `; diff --git a/x-pack/legacy/plugins/uptime/public/components/functional/__tests__/__snapshots__/uptime_date_picker.test.tsx.snap b/x-pack/legacy/plugins/uptime/public/components/functional/__tests__/__snapshots__/uptime_date_picker.test.tsx.snap index 9a4cb2e04f59b0..1b1711153a6262 100644 --- a/x-pack/legacy/plugins/uptime/public/components/functional/__tests__/__snapshots__/uptime_date_picker.test.tsx.snap +++ b/x-pack/legacy/plugins/uptime/public/components/functional/__tests__/__snapshots__/uptime_date_picker.test.tsx.snap @@ -111,155 +111,57 @@ exports[`UptimeDatePicker component renders properly with mock data 1`] = ` `; -exports[`UptimeDatePicker component renders properly without commonlyUsedRanges prop 1`] = ` -
-
-
-
-
- -
-
-
-
- -
-
-
-
-
- - - -
-
-`; - exports[`UptimeDatePicker component validates props with shallow render 1`] = ` - +> + + `; diff --git a/x-pack/legacy/plugins/uptime/public/components/functional/__tests__/monitor_charts.test.tsx b/x-pack/legacy/plugins/uptime/public/components/functional/__tests__/monitor_charts.test.tsx index 7beb3b545b45b9..81c60c8fbeaaa9 100644 --- a/x-pack/legacy/plugins/uptime/public/components/functional/__tests__/monitor_charts.test.tsx +++ b/x-pack/legacy/plugins/uptime/public/components/functional/__tests__/monitor_charts.test.tsx @@ -9,6 +9,7 @@ import DateMath from '@elastic/datemath'; import { shallowWithIntl } from 'test_utils/enzyme_helpers'; import { MonitorChartsComponent } from '../monitor_charts'; import { MonitorChart } from '../../../../common/graphql/types'; +import { renderWithRouter } from '../../../lib'; describe('MonitorCharts component', () => { let dateMathSpy: any; @@ -63,17 +64,19 @@ describe('MonitorCharts component', () => { it('renders the component without errors', () => { const component = shallowWithIntl( - + renderWithRouter( + + ) ); expect(component).toMatchSnapshot(); }); diff --git a/x-pack/legacy/plugins/uptime/public/components/functional/__tests__/uptime_date_picker.test.tsx b/x-pack/legacy/plugins/uptime/public/components/functional/__tests__/uptime_date_picker.test.tsx index e3ca1a87850c8a..5ce88f2bd5c220 100644 --- a/x-pack/legacy/plugins/uptime/public/components/functional/__tests__/uptime_date_picker.test.tsx +++ b/x-pack/legacy/plugins/uptime/public/components/functional/__tests__/uptime_date_picker.test.tsx @@ -7,20 +7,16 @@ import { shallowWithIntl, renderWithIntl } from 'test_utils/enzyme_helpers'; import React from 'react'; import { UptimeDatePicker } from '../uptime_date_picker'; +import { renderWithRouter } from '../../../lib'; describe('UptimeDatePicker component', () => { it('validates props with shallow render', () => { - const component = shallowWithIntl(); + const component = shallowWithIntl(renderWithRouter()); expect(component).toMatchSnapshot(); }); it('renders properly with mock data', () => { - const component = renderWithIntl(); - expect(component).toMatchSnapshot(); - }); - - it('renders properly without commonlyUsedRanges prop', () => { - const component = renderWithIntl(); + const component = renderWithIntl(renderWithRouter()); expect(component).toMatchSnapshot(); }); }); diff --git a/x-pack/legacy/plugins/uptime/public/components/functional/charts/donut_chart.tsx b/x-pack/legacy/plugins/uptime/public/components/functional/charts/donut_chart.tsx index 50dca8577455d3..35ee35e2926a80 100644 --- a/x-pack/legacy/plugins/uptime/public/components/functional/charts/donut_chart.tsx +++ b/x-pack/legacy/plugins/uptime/public/components/functional/charts/donut_chart.tsx @@ -9,7 +9,7 @@ import React, { useContext, useEffect, useRef } from 'react'; import * as d3 from 'd3'; import { i18n } from '@kbn/i18n'; import { DonutChartLegend } from './donut_chart_legend'; -import { UptimeSettingsContext } from '../../../contexts'; +import { UptimeThemeContext } from '../../../contexts'; interface DonutChartProps { down: number; @@ -23,7 +23,7 @@ export const DonutChart = ({ height, down, up, width }: DonutChartProps) => { const { colors: { danger, gray }, - } = useContext(UptimeSettingsContext); + } = useContext(UptimeThemeContext); let upCount = up; if (up === 0 && down === 0) { diff --git a/x-pack/legacy/plugins/uptime/public/components/functional/charts/donut_chart_legend.tsx b/x-pack/legacy/plugins/uptime/public/components/functional/charts/donut_chart_legend.tsx index ff471f7ba5407d..a514013eeed98d 100644 --- a/x-pack/legacy/plugins/uptime/public/components/functional/charts/donut_chart_legend.tsx +++ b/x-pack/legacy/plugins/uptime/public/components/functional/charts/donut_chart_legend.tsx @@ -9,7 +9,7 @@ import { EuiSpacer } from '@elastic/eui'; import React, { useContext } from 'react'; import styled from 'styled-components'; import { DonutChartLegendRow } from './donut_chart_legend_row'; -import { UptimeSettingsContext } from '../../../contexts'; +import { UptimeThemeContext } from '../../../contexts'; const LegendContainer = styled.div` max-width: 260px; @@ -28,7 +28,7 @@ interface Props { export const DonutChartLegend = ({ down, up }: Props) => { const { colors: { gray, danger }, - } = useContext(UptimeSettingsContext); + } = useContext(UptimeThemeContext); return ( = ({ }: Props) => { const { colors: { danger, gray }, - } = useContext(UptimeSettingsContext); + } = useContext(UptimeThemeContext); if (!data || !data.queryResult) /** * TODO: the Fragment, EuiTitle, and EuiPanel should be extracted to a dumb component diff --git a/x-pack/legacy/plugins/uptime/public/components/functional/filter_group/__tests__/__snapshots__/filter_status_button.test.tsx.snap b/x-pack/legacy/plugins/uptime/public/components/functional/filter_group/__tests__/__snapshots__/filter_status_button.test.tsx.snap index 28ac27054b8566..2d21c4d2fe2a2a 100644 --- a/x-pack/legacy/plugins/uptime/public/components/functional/filter_group/__tests__/__snapshots__/filter_status_button.test.tsx.snap +++ b/x-pack/legacy/plugins/uptime/public/components/functional/filter_group/__tests__/__snapshots__/filter_status_button.test.tsx.snap @@ -1,16 +1,61 @@ // Jest Snapshot v1, https://goo.gl/fbAQLP exports[`FilterStatusButton renders without errors for valid props 1`] = ` - - Up - + + `; diff --git a/x-pack/legacy/plugins/uptime/public/components/functional/filter_group/__tests__/filter_status_button.test.tsx b/x-pack/legacy/plugins/uptime/public/components/functional/filter_group/__tests__/filter_status_button.test.tsx index 73a74747d5ca5d..0c0393cb4fedfb 100644 --- a/x-pack/legacy/plugins/uptime/public/components/functional/filter_group/__tests__/filter_status_button.test.tsx +++ b/x-pack/legacy/plugins/uptime/public/components/functional/filter_group/__tests__/filter_status_button.test.tsx @@ -7,6 +7,7 @@ import React from 'react'; import { shallowWithIntl } from 'test_utils/enzyme_helpers'; import { FilterStatusButton, FilterStatusButtonProps } from '../filter_status_button'; +import { renderWithRouter } from '../../../../lib/'; describe('FilterStatusButton', () => { let props: FilterStatusButtonProps; @@ -20,7 +21,7 @@ describe('FilterStatusButton', () => { }); it('renders without errors for valid props', () => { - const wrapper = shallowWithIntl(); + const wrapper = shallowWithIntl(renderWithRouter()); expect(wrapper).toMatchSnapshot(); }); }); diff --git a/x-pack/legacy/plugins/uptime/public/components/functional/location_map/embeddables/embedded_map.tsx b/x-pack/legacy/plugins/uptime/public/components/functional/location_map/embeddables/embedded_map.tsx index 9b20651fadb86b..63a054c0c4889c 100644 --- a/x-pack/legacy/plugins/uptime/public/components/functional/location_map/embeddables/embedded_map.tsx +++ b/x-pack/legacy/plugins/uptime/public/components/functional/location_map/embeddables/embedded_map.tsx @@ -15,7 +15,7 @@ import { MAP_SAVED_OBJECT_TYPE } from '../../../../../../maps/common/constants'; import { MapEmbeddable } from './types'; import { getLayerList } from './map_config'; -import { UptimeSettingsContext } from '../../../../contexts'; +import { UptimeThemeContext } from '../../../../contexts'; export interface EmbeddedMapProps { upPoints: LocationPoint[]; @@ -46,7 +46,7 @@ const EmbeddedPanel = styled.div` `; export const EmbeddedMap = ({ upPoints, downPoints }: EmbeddedMapProps) => { - const { colors } = useContext(UptimeSettingsContext); + const { colors } = useContext(UptimeThemeContext); const [embeddable, setEmbeddable] = useState(); const embeddableRoot: React.RefObject = useRef(null); const factory = start.getEmbeddableFactory(MAP_SAVED_OBJECT_TYPE); diff --git a/x-pack/legacy/plugins/uptime/public/components/functional/location_map/location_status_tags.tsx b/x-pack/legacy/plugins/uptime/public/components/functional/location_map/location_status_tags.tsx index b8735f682adefb..923bf2c68cc56a 100644 --- a/x-pack/legacy/plugins/uptime/public/components/functional/location_map/location_status_tags.tsx +++ b/x-pack/legacy/plugins/uptime/public/components/functional/location_map/location_status_tags.tsx @@ -5,11 +5,11 @@ */ import React, { useContext } from 'react'; +import moment from 'moment'; import styled from 'styled-components'; import { EuiBadge, EuiText } from '@elastic/eui'; -import moment from 'moment'; import { FormattedMessage } from '@kbn/i18n/react'; -import { UptimeSettingsContext } from '../../../contexts'; +import { UptimeThemeContext } from '../../../contexts'; import { MonitorLocation } from '../../../../common/runtime_types'; const TimeStampSpan = styled.span` @@ -48,7 +48,7 @@ interface StatusTag { export const LocationStatusTags = ({ locations }: Props) => { const { colors: { gray, danger }, - } = useContext(UptimeSettingsContext); + } = useContext(UptimeThemeContext); const upLocations: StatusTag[] = []; const downLocations: StatusTag[] = []; diff --git a/x-pack/legacy/plugins/uptime/public/components/functional/monitor_list/monitor_list_drawer/__tests__/__snapshots__/monitor_list_drawer.test.tsx.snap b/x-pack/legacy/plugins/uptime/public/components/functional/monitor_list/monitor_list_drawer/__tests__/__snapshots__/monitor_list_drawer.test.tsx.snap index b6402ae852215f..29f2c0b63991eb 100644 --- a/x-pack/legacy/plugins/uptime/public/components/functional/monitor_list/monitor_list_drawer/__tests__/__snapshots__/monitor_list_drawer.test.tsx.snap +++ b/x-pack/legacy/plugins/uptime/public/components/functional/monitor_list/monitor_list_drawer/__tests__/__snapshots__/monitor_list_drawer.test.tsx.snap @@ -1,189 +1,197 @@ // Jest Snapshot v1, https://goo.gl/fbAQLP exports[`MonitorListDrawer component renders a MonitorListDrawer when there are many checks 1`] = ` - - - - - - https://expired.badssl.com - - - - - - + - - - - - - + `; exports[`MonitorListDrawer component renders a MonitorListDrawer when there is only one check 1`] = ` - - - - - - https://expired.badssl.com - - - - - - - - - - - + - + `; diff --git a/x-pack/legacy/plugins/uptime/public/components/functional/monitor_list/monitor_list_drawer/__tests__/monitor_list_drawer.test.tsx b/x-pack/legacy/plugins/uptime/public/components/functional/monitor_list/monitor_list_drawer/__tests__/monitor_list_drawer.test.tsx index 5c606f2356dfca..9bd407902cb550 100644 --- a/x-pack/legacy/plugins/uptime/public/components/functional/monitor_list/monitor_list_drawer/__tests__/monitor_list_drawer.test.tsx +++ b/x-pack/legacy/plugins/uptime/public/components/functional/monitor_list/monitor_list_drawer/__tests__/monitor_list_drawer.test.tsx @@ -9,6 +9,7 @@ import { shallowWithIntl } from 'test_utils/enzyme_helpers'; import React from 'react'; import { MonitorListDrawerComponent } from '../monitor_list_drawer'; import { MonitorDetails } from '../../../../../../common/runtime_types'; +import { renderWithRouter } from '../../../../../lib'; describe('MonitorListDrawer component', () => { let summary: MonitorSummary; @@ -52,11 +53,13 @@ describe('MonitorListDrawer component', () => { it('renders nothing when no summary data is present', () => { const component = shallowWithIntl( - + renderWithRouter( + + ) ); expect(component).toEqual({}); }); @@ -64,22 +67,26 @@ describe('MonitorListDrawer component', () => { it('renders nothing when no check data is present', () => { delete summary.state.checks; const component = shallowWithIntl( - + renderWithRouter( + + ) ); expect(component).toEqual({}); }); it('renders a MonitorListDrawer when there is only one check', () => { const component = shallowWithIntl( - + renderWithRouter( + + ) ); expect(component).toMatchSnapshot(); }); @@ -110,11 +117,13 @@ describe('MonitorListDrawer component', () => { ]; summary.state.checks = checks; const component = shallowWithIntl( - + renderWithRouter( + + ) ); expect(component).toMatchSnapshot(); }); diff --git a/x-pack/legacy/plugins/uptime/public/components/functional/monitor_list/monitor_list_drawer/monitor_status_row.tsx b/x-pack/legacy/plugins/uptime/public/components/functional/monitor_list/monitor_list_drawer/monitor_status_row.tsx index 23f11b88517fc0..e724986c2505e2 100644 --- a/x-pack/legacy/plugins/uptime/public/components/functional/monitor_list/monitor_list_drawer/monitor_status_row.tsx +++ b/x-pack/legacy/plugins/uptime/public/components/functional/monitor_list/monitor_list_drawer/monitor_status_row.tsx @@ -7,7 +7,7 @@ import React, { useContext } from 'react'; import { EuiHealth, EuiSpacer } from '@elastic/eui'; import { FormattedMessage } from '@kbn/i18n/react'; -import { UptimeSettingsContext } from '../../../../contexts'; +import { UptimeThemeContext } from '../../../../contexts'; import { UP } from './monitor_status_list'; import { UNNAMED_LOCATION } from '../../../../../common/constants'; @@ -25,7 +25,7 @@ interface MonitorStatusRowProps { export const MonitorStatusRow = ({ locationNames, status }: MonitorStatusRowProps) => { const { colors: { success, danger }, - } = useContext(UptimeSettingsContext); + } = useContext(UptimeThemeContext); const color = status === UP ? success : danger; diff --git a/x-pack/legacy/plugins/uptime/public/components/functional/uptime_date_picker.tsx b/x-pack/legacy/plugins/uptime/public/components/functional/uptime_date_picker.tsx index c282ac9b9e1553..2118faa7751301 100644 --- a/x-pack/legacy/plugins/uptime/public/components/functional/uptime_date_picker.tsx +++ b/x-pack/legacy/plugins/uptime/public/components/functional/uptime_date_picker.tsx @@ -8,7 +8,7 @@ import { EuiSuperDatePicker } from '@elastic/eui'; import React, { useContext } from 'react'; import { useUrlParams } from '../../hooks'; import { CLIENT_DEFAULTS } from '../../../common/constants'; -import { UptimeSettingsContext } from '../../contexts'; +import { UptimeRefreshContext, UptimeSettingsContext } from '../../contexts'; // TODO: when EUI exports types for this, this should be replaced interface SuperDateRangePickerRangeChangedEvent { @@ -27,14 +27,11 @@ export interface CommonlyUsedRange { display: string; } -interface UptimeDatePickerProps { - refreshApp: () => void; -} - -export const UptimeDatePicker = ({ refreshApp }: UptimeDatePickerProps) => { +export const UptimeDatePicker = () => { const [getUrlParams, updateUrl] = useUrlParams(); const { autorefreshInterval, autorefreshIsPaused, dateRangeStart, dateRangeEnd } = getUrlParams(); const { commonlyUsedRanges } = useContext(UptimeSettingsContext); + const { refreshApp } = useContext(UptimeRefreshContext); const euiCommonlyUsedRanges = commonlyUsedRanges ? commonlyUsedRanges.map( diff --git a/x-pack/legacy/plugins/uptime/public/contexts/index.ts b/x-pack/legacy/plugins/uptime/public/contexts/index.ts index 32eab9d1da291a..2b27fcfe907abd 100644 --- a/x-pack/legacy/plugins/uptime/public/contexts/index.ts +++ b/x-pack/legacy/plugins/uptime/public/contexts/index.ts @@ -4,5 +4,10 @@ * you may not use this file except in compliance with the Elastic License. */ -export { UptimeRefreshContext } from './uptime_refresh_context'; -export { UMSettingsContextValues, UptimeSettingsContext } from './uptime_settings_context'; +export { UptimeRefreshContext, UptimeRefreshContextProvider } from './uptime_refresh_context'; +export { + UptimeSettingsContextValues, + UptimeSettingsContext, + UptimeSettingsContextProvider, +} from './uptime_settings_context'; +export { UptimeThemeContextProvider, UptimeThemeContext } from './uptime_theme_context'; diff --git a/x-pack/legacy/plugins/uptime/public/contexts/uptime_refresh_context.ts b/x-pack/legacy/plugins/uptime/public/contexts/uptime_refresh_context.ts deleted file mode 100644 index e15f3fcd9e0fb3..00000000000000 --- a/x-pack/legacy/plugins/uptime/public/contexts/uptime_refresh_context.ts +++ /dev/null @@ -1,27 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { createContext } from 'react'; -import { History } from 'history'; - -interface Location { - pathname: string; - search: string; -} - -interface UMRefreshContext { - lastRefresh: number; - history: History | undefined; - location: Location | undefined; -} - -const defaultContext: UMRefreshContext = { - lastRefresh: 0, - history: undefined, - location: undefined, -}; - -export const UptimeRefreshContext = createContext(defaultContext); diff --git a/x-pack/legacy/plugins/uptime/public/contexts/uptime_refresh_context.tsx b/x-pack/legacy/plugins/uptime/public/contexts/uptime_refresh_context.tsx new file mode 100644 index 00000000000000..4516289bd51d69 --- /dev/null +++ b/x-pack/legacy/plugins/uptime/public/contexts/uptime_refresh_context.tsx @@ -0,0 +1,39 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import React, { createContext, useMemo, useState } from 'react'; +import { store } from '../state'; +import { triggerAppRefresh } from '../state/actions'; + +interface UptimeRefreshContext { + lastRefresh: number; + refreshApp: () => void; +} + +const defaultContext: UptimeRefreshContext = { + lastRefresh: 0, + refreshApp: () => { + throw new Error('App refresh was not initialized, set it when you invoke the context'); + }, +}; + +export const UptimeRefreshContext = createContext(defaultContext); + +export const UptimeRefreshContextProvider: React.FC = ({ children }) => { + const [lastRefresh, setLastRefresh] = useState(Date.now()); + + const refreshApp = () => { + const refreshTime = Date.now(); + setLastRefresh(refreshTime); + store.dispatch(triggerAppRefresh(refreshTime)); + }; + + const value = useMemo(() => { + return { lastRefresh, refreshApp }; + }, [lastRefresh]); + + return ; +}; diff --git a/x-pack/legacy/plugins/uptime/public/contexts/uptime_settings_context.ts b/x-pack/legacy/plugins/uptime/public/contexts/uptime_settings_context.ts deleted file mode 100644 index c656391678aa2c..00000000000000 --- a/x-pack/legacy/plugins/uptime/public/contexts/uptime_settings_context.ts +++ /dev/null @@ -1,70 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import DateMath from '@elastic/datemath'; -import euiLightVars from '@elastic/eui/dist/eui_theme_light.json'; -import { createContext } from 'react'; -import { UptimeAppColors } from '../uptime_app'; -import { CONTEXT_DEFAULTS } from '../../common/constants'; -import { CommonlyUsedRange } from '../components/functional/uptime_date_picker'; - -export interface UMSettingsContextValues { - absoluteStartDate: number; - absoluteEndDate: number; - autorefreshIsPaused: boolean; - autorefreshInterval: number; - basePath: string; - colors: UptimeAppColors; - dateRangeStart: string; - dateRangeEnd: string; - isApmAvailable: boolean; - isInfraAvailable: boolean; - isLogsAvailable: boolean; - refreshApp: () => void; - commonlyUsedRanges?: CommonlyUsedRange[]; -} - -const { - AUTOREFRESH_IS_PAUSED, - AUTOREFRESH_INTERVAL, - BASE_PATH, - DATE_RANGE_START, - DATE_RANGE_END, -} = CONTEXT_DEFAULTS; -const parsedStart = DateMath.parse(DATE_RANGE_START); -const parsedEnd = DateMath.parse(DATE_RANGE_END); -const DEFAULT_ABSOLUTE_START_DATE = parsedStart ? parsedStart.valueOf() : 0; -const DEFAULT_ABSOLUTE_END_DATE = parsedEnd ? parsedEnd.valueOf() : 1; - -/** - * These are default values for the context. These defaults are typically - * overwritten by the Uptime App upon its invocation. - */ -const defaultContext: UMSettingsContextValues = { - absoluteStartDate: DEFAULT_ABSOLUTE_START_DATE, - absoluteEndDate: DEFAULT_ABSOLUTE_END_DATE, - autorefreshIsPaused: AUTOREFRESH_IS_PAUSED, - autorefreshInterval: AUTOREFRESH_INTERVAL, - basePath: BASE_PATH, - colors: { - danger: euiLightVars.euiColorDanger, - mean: euiLightVars.euiColorPrimary, - range: euiLightVars.euiFocusBackgroundColor, - success: euiLightVars.euiColorSuccess, - warning: euiLightVars.euiColorWarning, - gray: euiLightVars.euiColorLightShade, - }, - dateRangeStart: DATE_RANGE_START, - dateRangeEnd: DATE_RANGE_END, - isApmAvailable: true, - isInfraAvailable: true, - isLogsAvailable: true, - refreshApp: () => { - throw new Error('App refresh was not initialized, set it when you invoke the context'); - }, -}; - -export const UptimeSettingsContext = createContext(defaultContext); diff --git a/x-pack/legacy/plugins/uptime/public/contexts/uptime_settings_context.tsx b/x-pack/legacy/plugins/uptime/public/contexts/uptime_settings_context.tsx new file mode 100644 index 00000000000000..b529d5346e88ea --- /dev/null +++ b/x-pack/legacy/plugins/uptime/public/contexts/uptime_settings_context.tsx @@ -0,0 +1,56 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import React, { createContext, useMemo } from 'react'; +import { useParams } from 'react-router-dom'; +import { UptimeAppProps } from '../uptime_app'; +import { CONTEXT_DEFAULTS } from '../../common/constants'; +import { CommonlyUsedRange } from '../components/functional/uptime_date_picker'; + +export interface UptimeSettingsContextValues { + basePath: string; + dateRangeStart: string; + dateRangeEnd: string; + isApmAvailable: boolean; + isInfraAvailable: boolean; + isLogsAvailable: boolean; + commonlyUsedRanges?: CommonlyUsedRange[]; +} + +const { BASE_PATH, DATE_RANGE_START, DATE_RANGE_END } = CONTEXT_DEFAULTS; + +/** + * These are default values for the context. These defaults are typically + * overwritten by the Uptime App upon its invocation. + */ +const defaultContext: UptimeSettingsContextValues = { + basePath: BASE_PATH, + dateRangeStart: DATE_RANGE_START, + dateRangeEnd: DATE_RANGE_END, + isApmAvailable: true, + isInfraAvailable: true, + isLogsAvailable: true, +}; +export const UptimeSettingsContext = createContext(defaultContext); + +export const UptimeSettingsContextProvider: React.FC = ({ children, ...props }) => { + const { basePath, isApmAvailable, isInfraAvailable, isLogsAvailable } = props; + + const { dateRangeStart, dateRangeEnd } = useParams(); + + const value = useMemo(() => { + return { + basePath, + isApmAvailable, + isInfraAvailable, + isLogsAvailable, + dateRangeStart: dateRangeStart ?? DATE_RANGE_START, + dateRangeEnd: dateRangeEnd ?? DATE_RANGE_END, + }; + }, [basePath, isApmAvailable, isInfraAvailable, isLogsAvailable, dateRangeStart, dateRangeEnd]); + + return ; +}; diff --git a/x-pack/legacy/plugins/uptime/public/contexts/uptime_theme_context.tsx b/x-pack/legacy/plugins/uptime/public/contexts/uptime_theme_context.tsx new file mode 100644 index 00000000000000..7a9450ea2774e3 --- /dev/null +++ b/x-pack/legacy/plugins/uptime/public/contexts/uptime_theme_context.tsx @@ -0,0 +1,65 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import euiLightVars from '@elastic/eui/dist/eui_theme_light.json'; +import React, { createContext, useMemo } from 'react'; +import euiDarkVars from '@elastic/eui/dist/eui_theme_dark.json'; +import { UptimeAppColors } from '../uptime_app'; + +export interface UptimeThemeContextValues { + colors: UptimeAppColors; +} + +/** + * These are default values for the context. These defaults are typically + * overwritten by the Uptime App upon its invocation. + */ +const defaultContext: UptimeThemeContextValues = { + colors: { + danger: euiLightVars.euiColorDanger, + mean: euiLightVars.euiColorPrimary, + range: euiLightVars.euiFocusBackgroundColor, + success: euiLightVars.euiColorSuccess, + warning: euiLightVars.euiColorWarning, + gray: euiLightVars.euiColorLightShade, + }, +}; + +export const UptimeThemeContext = createContext(defaultContext); + +interface ThemeContextProps { + darkMode: boolean; +} + +export const UptimeThemeContextProvider: React.FC = ({ darkMode, children }) => { + let colors: UptimeAppColors; + if (darkMode) { + colors = { + danger: euiDarkVars.euiColorDanger, + mean: euiDarkVars.euiColorPrimary, + gray: euiDarkVars.euiColorLightShade, + range: euiDarkVars.euiFocusBackgroundColor, + success: euiDarkVars.euiColorSuccess, + warning: euiDarkVars.euiColorWarning, + }; + } else { + colors = { + danger: euiLightVars.euiColorDanger, + mean: euiLightVars.euiColorPrimary, + gray: euiLightVars.euiColorLightShade, + range: euiLightVars.euiFocusBackgroundColor, + success: euiLightVars.euiColorSuccess, + warning: euiLightVars.euiColorWarning, + }; + } + const value = useMemo(() => { + return { + colors, + }; + }, [colors]); + + return ; +}; diff --git a/x-pack/legacy/plugins/uptime/public/hooks/__tests__/__snapshots__/use_url_params.test.tsx.snap b/x-pack/legacy/plugins/uptime/public/hooks/__tests__/__snapshots__/use_url_params.test.tsx.snap index 6abb14d015d67b..a2c52f94052898 100644 --- a/x-pack/legacy/plugins/uptime/public/hooks/__tests__/__snapshots__/use_url_params.test.tsx.snap +++ b/x-pack/legacy/plugins/uptime/public/hooks/__tests__/__snapshots__/use_url_params.test.tsx.snap @@ -1,50 +1,324 @@ // Jest Snapshot v1, https://goo.gl/fbAQLP exports[`useUrlParams deletes keys that do not have truthy values 1`] = ` - -
- {"absoluteDateRangeStart":20,"absoluteDateRangeEnd":20,"autorefreshInterval":60000,"autorefreshIsPaused":false,"dateRangeStart":"now-12","dateRangeEnd":"now","filters":"","search":"","selectedPingStatus":"","statusFilter":"","pagination":"foo"} -
- - - +
+ {"absoluteDateRangeStart":20,"absoluteDateRangeEnd":20,"autorefreshInterval":60000,"autorefreshIsPaused":false,"dateRangeStart":"now-12","dateRangeEnd":"now","filters":"","search":"","selectedPingStatus":"","statusFilter":"","pagination":"foo"} +
+ + + + `; exports[`useUrlParams gets the expected values using the context 1`] = ` - -
- {"absoluteDateRangeStart":20,"absoluteDateRangeEnd":20,"autorefreshInterval":60000,"autorefreshIsPaused":false,"dateRangeStart":"now-19d","dateRangeEnd":"now-1m","filters":"","search":"","selectedPingStatus":"","statusFilter":""} -
- - - +
+ {"absoluteDateRangeStart":20,"absoluteDateRangeEnd":20,"autorefreshInterval":60000,"autorefreshIsPaused":false,"dateRangeStart":"now-15m","dateRangeEnd":"now","filters":"","search":"","selectedPingStatus":"","statusFilter":""} +
+ + + + `; diff --git a/x-pack/legacy/plugins/uptime/public/hooks/__tests__/use_url_params.test.tsx b/x-pack/legacy/plugins/uptime/public/hooks/__tests__/use_url_params.test.tsx index 66cb5d29d17426..c9ba7b9bc0098d 100644 --- a/x-pack/legacy/plugins/uptime/public/hooks/__tests__/use_url_params.test.tsx +++ b/x-pack/legacy/plugins/uptime/public/hooks/__tests__/use_url_params.test.tsx @@ -8,16 +8,15 @@ import { mountWithIntl } from 'test_utils/enzyme_helpers'; import DateMath from '@elastic/datemath'; import React, { useState, Fragment } from 'react'; import { useUrlParams, UptimeUrlParamsHook } from '../use_url_params'; -import { RouteComponentProps } from 'react-router-dom'; import { UptimeRefreshContext } from '../../contexts'; +import { renderWithRouter } from '../../lib'; +import { createMemoryHistory } from 'history'; interface MockUrlParamsComponentProps { hook: UptimeUrlParamsHook; updateParams?: { [key: string]: any }; } -let mockRouter: RouteComponentProps; - const UseUrlParamsTestComponent = ({ hook, updateParams }: MockUrlParamsComponentProps) => { const [params, setParams] = useState({}); const [getUrlParams, updateUrlParams] = hook(); @@ -42,61 +41,45 @@ const UseUrlParamsTestComponent = ({ hook, updateParams }: MockUrlParamsComponen describe('useUrlParams', () => { let dateMathSpy: any; const MOCK_DATE_VALUE = 20; + beforeEach(() => { - mockRouter = { - // @ts-ignore other properties aren't needed for this test - history: { - push: jest.fn(), - }, - location: { - pathname: '', - search: '?g=""', - state: {}, - hash: '', - }, - match: { - params: '', - isExact: true, - path: '/', - url: 'http://elastic.co', - }, - }; dateMathSpy = jest.spyOn(DateMath, 'parse'); dateMathSpy.mockReturnValue(MOCK_DATE_VALUE); }); it('accepts router props, updates URL params, and returns the current params', () => { + const history = createMemoryHistory(); + jest.spyOn(history, 'push'); + const component = mountWithIntl( - - - + renderWithRouter( + + + , + history + ) ); const setUrlParamsButton = component.find('#setUrlParams'); setUrlParamsButton.simulate('click'); - - expect(mockRouter.history.push).toHaveBeenCalledWith({ - pathname: '', - search: 'g=%22%22&dateRangeStart=now-12d&dateRangeEnd=now', + expect(history.push).toHaveBeenCalledWith({ + pathname: '/', + search: 'dateRangeStart=now-12d&dateRangeEnd=now', }); }); it('gets the expected values using the context', () => { const component = mountWithIntl( - - - + renderWithRouter( + + + + ) ); const getUrlParamsButton = component.find('#getUrlParams'); @@ -106,17 +89,24 @@ describe('useUrlParams', () => { }); it('deletes keys that do not have truthy values', () => { - mockRouter.location.search = 'g=%22%22&dateRangeStart=now-12&dateRangeEnd=now&pagination=foo'; + const history = createMemoryHistory({ + initialEntries: ['/?g=%22%22&dateRangeStart=now-12&dateRangeEnd=now&pagination=foo'], + }); + history.location.key = 'test'; + + jest.spyOn(history, 'push'); const component = mountWithIntl( - - - + renderWithRouter( + + + , + history + ) ); const getUrlParamsButton = component.find('#getUrlParams'); @@ -126,11 +116,11 @@ describe('useUrlParams', () => { expect(component).toMatchSnapshot(); - const setUrlParmsButton = component.find('#setUrlParams'); - setUrlParmsButton.simulate('click'); + const setUrlParamsButton = component.find('#setUrlParams'); + setUrlParamsButton.simulate('click'); - expect(mockRouter.history.push).toHaveBeenCalledWith({ - pathname: '', + expect(history.push).toHaveBeenCalledWith({ + pathname: '/', search: 'g=%22%22&dateRangeStart=now-12&dateRangeEnd=now', }); }); diff --git a/x-pack/legacy/plugins/uptime/public/hooks/use_url_params.ts b/x-pack/legacy/plugins/uptime/public/hooks/use_url_params.ts index 31343e6a1883c4..e509e14223006d 100644 --- a/x-pack/legacy/plugins/uptime/public/hooks/use_url_params.ts +++ b/x-pack/legacy/plugins/uptime/public/hooks/use_url_params.ts @@ -5,8 +5,7 @@ */ import qs from 'querystring'; -import { useContext } from 'react'; -import { UptimeRefreshContext } from '../contexts'; +import { useLocation, useHistory } from 'react-router-dom'; import { UptimeUrlParams, getSupportedUrlParams } from '../lib/helper'; type GetUrlParams = () => UptimeUrlParams; @@ -15,12 +14,13 @@ type UpdateUrlParams = (updatedParams: { [key: string]: string | number | boolea export type UptimeUrlParamsHook = () => [GetUrlParams, UpdateUrlParams]; export const useUrlParams: UptimeUrlParamsHook = () => { - const refreshContext = useContext(UptimeRefreshContext); + const location = useLocation(); + const history = useHistory(); const getUrlParams: GetUrlParams = () => { let search: string | undefined; - if (refreshContext.location) { - search = refreshContext.location.search; + if (location) { + search = location.search; } const params = search ? { ...qs.parse(search[0] === '?' ? search.slice(1) : search) } : {}; @@ -28,11 +28,8 @@ export const useUrlParams: UptimeUrlParamsHook = () => { }; const updateUrlParams: UpdateUrlParams = updatedParams => { - if (!refreshContext.history || !refreshContext.location) return; - const { - history, - location: { pathname, search }, - } = refreshContext; + if (!history || !location) return; + const { pathname, search } = location; const currentParams: any = qs.parse(search[0] === '?' ? search.slice(1) : search); const mergedParams = { ...currentParams, diff --git a/x-pack/legacy/plugins/uptime/public/lib/helper/render_with_router.tsx b/x-pack/legacy/plugins/uptime/public/lib/helper/render_with_router.tsx new file mode 100644 index 00000000000000..5cd9ec23a35877 --- /dev/null +++ b/x-pack/legacy/plugins/uptime/public/lib/helper/render_with_router.tsx @@ -0,0 +1,21 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import React from 'react'; + +import { Router } from 'react-router-dom'; +import { MemoryHistory } from 'history/createMemoryHistory'; +import { createMemoryHistory } from 'history'; + +export const renderWithRouter = (Component: any, customHistory?: MemoryHistory) => { + if (customHistory) { + return {Component}; + } + const history = createMemoryHistory(); + history.location.key = 'TestKeyForTesting'; + + return {Component}; +}; diff --git a/x-pack/legacy/plugins/uptime/public/lib/index.ts b/x-pack/legacy/plugins/uptime/public/lib/index.ts new file mode 100644 index 00000000000000..9a78c6df5d63d4 --- /dev/null +++ b/x-pack/legacy/plugins/uptime/public/lib/index.ts @@ -0,0 +1,7 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +export { renderWithRouter } from './helper/render_with_router'; diff --git a/x-pack/legacy/plugins/uptime/public/pages/monitor.tsx b/x-pack/legacy/plugins/uptime/public/pages/monitor.tsx index 1b4ad8d82ead18..408d2584911e0d 100644 --- a/x-pack/legacy/plugins/uptime/public/pages/monitor.tsx +++ b/x-pack/legacy/plugins/uptime/public/pages/monitor.tsx @@ -9,7 +9,7 @@ import React, { Fragment, useContext, useState } from 'react'; import { useParams } from 'react-router-dom'; import { MonitorCharts, PingList } from '../components/functional'; import { UMUpdateBreadcrumbs } from '../lib/lib'; -import { UptimeSettingsContext } from '../contexts'; +import { UptimeRefreshContext, UptimeThemeContext } from '../contexts'; import { useUptimeTelemetry, useUrlParams, UptimePage } from '../hooks'; import { useTrackPageview } from '../../../infra/public'; import { MonitorStatusDetails } from '../components/functional/monitor_status_details'; @@ -25,7 +25,8 @@ export const MonitorPage = ({ setBreadcrumbs }: MonitorPageProps) => { monitorId = atob(monitorId || ''); const [pingListPageCount, setPingListPageCount] = useState(10); - const { colors, refreshApp } = useContext(UptimeSettingsContext); + const { colors } = useContext(UptimeThemeContext); + const { refreshApp } = useContext(UptimeRefreshContext); const [getUrlParams, updateUrlParams] = useUrlParams(); const { absoluteDateRangeStart, absoluteDateRangeEnd, ...params } = getUrlParams(); const { dateRangeStart, dateRangeEnd, selectedPingStatus } = params; diff --git a/x-pack/legacy/plugins/uptime/public/pages/overview.tsx b/x-pack/legacy/plugins/uptime/public/pages/overview.tsx index e7ef7f53afde41..fbfbfc06e3c52f 100644 --- a/x-pack/legacy/plugins/uptime/public/pages/overview.tsx +++ b/x-pack/legacy/plugins/uptime/public/pages/overview.tsx @@ -16,7 +16,6 @@ import { StatusPanel, } from '../components/functional'; import { UMUpdateBreadcrumbs } from '../lib/lib'; -import { UptimeSettingsContext } from '../contexts'; import { useIndexPattern, useUrlParams, useUptimeTelemetry, UptimePage } from '../hooks'; import { stringifyUrlParams } from '../lib/helper/stringify_url_params'; import { useTrackPageview } from '../../../infra/public'; @@ -25,6 +24,7 @@ import { AutocompleteProviderRegister, esKuery } from '../../../../../../src/plu import { store } from '../state'; import { setEsKueryString } from '../state/actions'; import { PageHeader } from './page_header'; +import { UptimeThemeContext } from '../contexts/uptime_theme_context'; interface OverviewPageProps { autocomplete: Pick; @@ -48,7 +48,7 @@ const EuiFlexItemStyled = styled(EuiFlexItem)` `; export const OverviewPage = ({ autocomplete, setBreadcrumbs }: Props) => { - const { colors } = useContext(UptimeSettingsContext); + const { colors } = useContext(UptimeThemeContext); const [getUrlParams, updateUrl] = useUrlParams(); const { absoluteDateRangeStart, absoluteDateRangeEnd, ...params } = getUrlParams(); const { diff --git a/x-pack/legacy/plugins/uptime/public/pages/page_header.tsx b/x-pack/legacy/plugins/uptime/public/pages/page_header.tsx index 250dacb8914e76..d341a22bc583b3 100644 --- a/x-pack/legacy/plugins/uptime/public/pages/page_header.tsx +++ b/x-pack/legacy/plugins/uptime/public/pages/page_header.tsx @@ -5,7 +5,7 @@ */ import { EuiTitle, EuiFlexGroup, EuiFlexItem, EuiSpacer } from '@elastic/eui'; -import React, { useEffect, useState, useContext } from 'react'; +import React, { useEffect, useState } from 'react'; import { connect } from 'react-redux'; import { useRouteMatch, useParams } from 'react-router-dom'; import { i18n } from '@kbn/i18n'; @@ -14,7 +14,6 @@ import { AppState } from '../state'; import { selectSelectedMonitor } from '../state/selectors'; import { getMonitorPageBreadcrumb, getOverviewPageBreadcrumbs } from '../breadcrumbs'; import { stringifyUrlParams } from '../lib/helper/stringify_url_params'; -import { UptimeSettingsContext } from '../contexts'; import { getTitle } from '../lib/helper/get_title'; import { UMUpdateBreadcrumbs } from '../lib/lib'; import { MONITOR_ROUTE } from '../routes'; @@ -28,7 +27,6 @@ export const PageHeaderComponent = ({ monitorStatus, setBreadcrumbs }: PageHeade const monitorPage = useRouteMatch({ path: MONITOR_ROUTE, }); - const { refreshApp } = useContext(UptimeSettingsContext); const { absoluteDateRangeStart, absoluteDateRangeEnd, ...params } = useParams(); @@ -61,6 +59,10 @@ export const PageHeaderComponent = ({ monitorStatus, setBreadcrumbs }: PageHeade } }, [headerText, setBreadcrumbs, params, monitorPage]); + useEffect(() => { + document.title = getTitle(); + }, []); + return ( <> @@ -70,7 +72,7 @@ export const PageHeaderComponent = ({ monitorStatus, setBreadcrumbs }: PageHeade - + diff --git a/x-pack/legacy/plugins/uptime/public/uptime_app.tsx b/x-pack/legacy/plugins/uptime/public/uptime_app.tsx index 25ff0e71770160..513faa3eb4bc2e 100644 --- a/x-pack/legacy/plugins/uptime/public/uptime_app.tsx +++ b/x-pack/legacy/plugins/uptime/public/uptime_app.tsx @@ -4,25 +4,24 @@ * you may not use this file except in compliance with the Elastic License. */ -import DateMath from '@elastic/datemath'; -import { EuiPage } from '@elastic/eui'; -import euiDarkVars from '@elastic/eui/dist/eui_theme_dark.json'; -import euiLightVars from '@elastic/eui/dist/eui_theme_light.json'; +import { EuiPage, EuiErrorBoundary } from '@elastic/eui'; import { i18n } from '@kbn/i18n'; -import React, { useEffect, useState } from 'react'; +import React, { useEffect } from 'react'; import { ApolloProvider } from 'react-apollo'; import { Provider as ReduxProvider } from 'react-redux'; -import { BrowserRouter as Router, Route, RouteComponentProps } from 'react-router-dom'; +import { BrowserRouter as Router } from 'react-router-dom'; import { I18nStart, ChromeBreadcrumb, LegacyCoreStart } from 'src/core/public'; import { PluginsStart } from 'ui/new_platform/new_platform'; import { KibanaContextProvider } from '../../../../../src/plugins/kibana_react/public'; import { UMGraphQLClient, UMUpdateBreadcrumbs, UMUpdateBadge } from './lib/lib'; -import { UptimeRefreshContext, UptimeSettingsContext, UMSettingsContextValues } from './contexts'; +import { + UptimeRefreshContextProvider, + UptimeSettingsContextProvider, + UptimeThemeContextProvider, +} from './contexts'; import { CommonlyUsedRange } from './components/functional/uptime_date_picker'; -import { useUrlParams } from './hooks'; -import { getTitle } from './lib/helper/get_title'; import { store } from './state'; -import { setBasePath, triggerAppRefresh } from './state/actions'; +import { setBasePath } from './state/actions'; import { PageRouter } from './routes'; export interface UptimeAppColors { @@ -60,11 +59,7 @@ const Application = (props: UptimeAppProps) => { client, core, darkMode, - commonlyUsedRanges, i18n: i18nCore, - isApmAvailable, - isInfraAvailable, - isLogsAvailable, plugins, renderGlobalHelpControls, routerBasename, @@ -72,28 +67,6 @@ const Application = (props: UptimeAppProps) => { setBadge, } = props; - let colors: UptimeAppColors; - if (darkMode) { - colors = { - danger: euiDarkVars.euiColorDanger, - mean: euiDarkVars.euiColorPrimary, - gray: euiDarkVars.euiColorLightShade, - range: euiDarkVars.euiFocusBackgroundColor, - success: euiDarkVars.euiColorSuccess, - warning: euiDarkVars.euiColorWarning, - }; - } else { - colors = { - danger: euiLightVars.euiColorDanger, - mean: euiLightVars.euiColorPrimary, - gray: euiLightVars.euiColorLightShade, - range: euiLightVars.euiFocusBackgroundColor, - success: euiLightVars.euiColorSuccess, - warning: euiLightVars.euiColorWarning, - }; - } - const [lastRefresh, setLastRefresh] = useState(Date.now()); - useEffect(() => { renderGlobalHelpControls(); setBadge( @@ -111,77 +84,36 @@ const Application = (props: UptimeAppProps) => { ); }, [canSave, renderGlobalHelpControls, setBadge]); - useEffect(() => { - document.title = getTitle(); - }, []); - - const refreshApp = () => { - const refreshTime = Date.now(); - setLastRefresh(refreshTime); - store.dispatch(triggerAppRefresh(refreshTime)); - }; - - const [getUrlParams] = useUrlParams(); - const initializeSettingsContextValues = (): UMSettingsContextValues => { - const { - autorefreshInterval, - autorefreshIsPaused, - dateRangeStart, - dateRangeEnd, - } = getUrlParams(); - const absoluteStartDate = DateMath.parse(dateRangeStart); - const absoluteEndDate = DateMath.parse(dateRangeEnd); - return { - // TODO: extract these values to dedicated (and more sensible) constants - absoluteStartDate: absoluteStartDate ? absoluteStartDate.valueOf() : 0, - absoluteEndDate: absoluteEndDate ? absoluteEndDate.valueOf() : 1, - autorefreshInterval, - autorefreshIsPaused, - basePath, - colors, - dateRangeStart, - dateRangeEnd, - isApmAvailable, - isInfraAvailable, - isLogsAvailable, - refreshApp, - commonlyUsedRanges, - }; - }; - store.dispatch(setBasePath(basePath)); return ( - - - - - { - return ( - - - - -
- -
- - - - - ); - }} - /> - - - - + + + + + + + + + + +
+ +
+ + + + + + + + + + ); }; From 56ff72186778fa694a8c10e10c41bfd80d9a34b6 Mon Sep 17 00:00:00 2001 From: Andrew Goldstein Date: Tue, 14 Jan 2020 21:03:57 -0700 Subject: [PATCH 02/10] [SIEM] New Overview Page (#54783) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## [SIEM] Overview Page "1.5" A redesigned SIEM Overview page that includes `Recent timelines`, a `Security news` feed, visualizations, and rolled-up event counts ![overview-day](https://user-images.githubusercontent.com/4459398/72396016-90f53600-36f8-11ea-9b41-6d54d09de589.png) ![overview-night](https://user-images.githubusercontent.com/4459398/72394575-fb57a780-36f3-11ea-868e-8fcd2c5c4543.png) ### Overview enhancements - Added the global Search bar and Date picker to the Overview page - New `Recent timelines` widget affords quick access to favorite and recently modified timelines - New `Security news` widget - New Kibana advanced settings (toggle switch) for enabling or disabling the news widget and configuring the news URL ![news-settings](https://user-images.githubusercontent.com/4459398/72362776-fd4c4700-36b0-11ea-805b-3c7353f2c1cd.png) - New `Events count by dataset` widget - Updated the `Host Events` and `Network Events` widgets to integrate with the Search bar and date picker input - Enhanced the `Host Events` and `Network Events` widgets to use an accordion paradigm that summarizes stats by source (e.g. `Auditbeat`, `Endgame`) - Enhanced the `Host Events` and `Network Events` widgets to visualize relative percentages of events collected as progress bars - New `Alerts count by category` widget - New `Signals count by MITRE ATT&CK™ category` widget - New `View events`, `View alerts`, and `View signals` navigation buttons for their respective visualizations ### FTUE enhancements - FTUE "no data" view design refresh ![ftue](https://user-images.githubusercontent.com/4459398/72361771-43a0a680-36af-11ea-969f-5872ac4a01a1.png) - When the FTUE "no data" page is displayed, hide all global navigation links (i.e. `Hosts`, `Network`, `Detection engine`), such that only `Overview` appears in the global nav - App Help popover design refresh ![help](https://user-images.githubusercontent.com/4459398/72362132-d80b0900-36af-11ea-9b58-1fd3b923b7c8.png) - Removed the `Beta` badge and `Security Information & Event Management with the Elastic Stack` from the Overview header - Tested in Chrome `79.0.3945.117`, Firefox `72.0.1`, and Safari `13.0.4` ## Known issues - The `siem:newsFeedUrl` advanced setting is defaulted to `https://feeds.elastic.co/kibana` - The `Signals count by MITRE ATT&CK™ category` visualization does not display all categories - The `Signals count by MITRE ATT&CK™ category` visualization may require a different index pattern - `EuiButtonGroup` throwing a `Can't perform a React state update on an unmounted component` warning when switching from the Overview tab https://github.com/elastic/siem-team/issues/484 --- ...ibana-plugin-public.doclinksstart.links.md | 5 +- .../kibana-plugin-public.doclinksstart.md | 2 +- .../core/public/kibana-plugin-public.md | 302 +++---- docs/management/advanced-options.asciidoc | 2 + .../public/doc_links/doc_links_service.ts | 10 +- src/core/public/public.api.md | 5 +- .../language_switcher.test.tsx.snap | 10 +- .../query_string_input.test.tsx.snap | 30 +- .../legacy/plugins/siem/common/constants.ts | 9 + .../integration/lib/overview/selectors.ts | 4 + .../smoke_tests/overview/overview.spec.ts | 16 +- x-pack/legacy/plugins/siem/index.ts | 26 + .../public/components/alerts_viewer/index.tsx | 10 +- .../components/alerts_viewer/translations.ts | 8 + .../__snapshots__/index.test.tsx.snap | 1 + .../public/components/empty_page/index.tsx | 1 + .../components/events_viewer/translations.ts | 7 + .../components/formatted_date/index.tsx | 53 +- .../__snapshots__/index.test.tsx.snap | 47 +- .../public/components/header_global/index.tsx | 26 +- .../public/components/help_menu/index.tsx | 9 + .../siem/public/components/link_to/index.ts | 2 +- .../public/components/link_to/link_to.tsx | 4 +- .../components/matrix_histogram/index.tsx | 32 +- .../components/matrix_histogram/types.ts | 6 +- .../components/matrix_histogram/utils.ts | 6 +- .../public/components/news_feed/helpers.ts | 89 ++ .../public/components/news_feed/index.tsx | 57 ++ .../public/components/news_feed/news_feed.tsx | 42 + .../components/news_feed/news_link/index.tsx | 24 + .../components/news_feed/no_news/index.tsx | 24 + .../components/news_feed/post/index.tsx | 62 ++ .../components/news_feed/translations.ts | 19 + .../siem/public/components/news_feed/types.ts | 42 + .../public/components/page/manage_query.tsx | 3 + .../page/overview/overview_host/index.tsx | 119 ++- .../__snapshots__/index.test.tsx.snap | 852 +++++++++++++----- .../overview_host_stats/index.test.tsx | 59 +- .../overview/overview_host_stats/index.tsx | 296 +++--- .../page/overview/overview_network/index.tsx | 120 ++- .../__snapshots__/index.test.tsx.snap | 534 ++++++++--- .../overview_network_stats/index.test.tsx | 59 +- .../overview/overview_network_stats/index.tsx | 227 ++--- .../components/page/overview/stat_value.tsx | 54 ++ .../public/components/page/overview/types.ts | 43 + .../recent_timelines/counts/index.tsx | 59 ++ .../recent_timelines/filters/index.tsx | 39 + .../recent_timelines/header/index.tsx | 66 ++ .../components/recent_timelines/helpers.ts | 26 + .../components/recent_timelines/index.tsx | 141 +++ .../recent_timelines/recent_timelines.tsx | 55 ++ .../recent_timelines/translations.ts | 55 ++ .../components/recent_timelines/types.ts | 7 + .../components/sidebar_header/index.tsx | 27 + .../components/url_state/index.test.tsx | 2 +- .../siem/public/components/url_state/types.ts | 8 +- .../containers/matrix_histogram/index.tsx | 6 +- .../siem/public/pages/common/translations.ts | 27 + .../detection_engine_empty_page.tsx | 5 +- .../detection_engine_no_signal_index.tsx | 6 +- .../detection_engine_user_unauthenticated.tsx | 6 +- .../public/pages/hosts/hosts_empty_page.tsx | 5 +- .../navigation/events_query_tab_body.tsx | 6 +- .../siem/public/pages/hosts/translations.ts | 20 +- .../pages/network/network_empty_page.tsx | 5 +- .../siem/public/pages/network/translations.ts | 13 - .../overview/alerts_by_category/index.tsx | 127 +++ .../pages/overview/event_counts/index.tsx | 80 ++ .../overview/events_by_dataset/index.tsx | 127 +++ .../siem/public/pages/overview/index.tsx | 4 +- .../public/pages/overview/overview.test.tsx | 25 + .../siem/public/pages/overview/overview.tsx | 184 ++-- .../pages/overview/overview_empty/index.tsx | 35 + .../public/pages/overview/sidebar/index.tsx | 18 + .../public/pages/overview/sidebar/sidebar.tsx | 56 ++ .../overview/signals_by_category/index.tsx | 63 ++ .../siem/public/pages/overview/summary.tsx | 2 +- .../public/pages/overview/translations.ts | 32 +- .../translations/translations/ja-JP.json | 11 - .../translations/translations/zh-CN.json | 11 - 80 files changed, 3627 insertions(+), 1090 deletions(-) create mode 100644 x-pack/legacy/plugins/siem/public/components/news_feed/helpers.ts create mode 100644 x-pack/legacy/plugins/siem/public/components/news_feed/index.tsx create mode 100644 x-pack/legacy/plugins/siem/public/components/news_feed/news_feed.tsx create mode 100644 x-pack/legacy/plugins/siem/public/components/news_feed/news_link/index.tsx create mode 100644 x-pack/legacy/plugins/siem/public/components/news_feed/no_news/index.tsx create mode 100644 x-pack/legacy/plugins/siem/public/components/news_feed/post/index.tsx create mode 100644 x-pack/legacy/plugins/siem/public/components/news_feed/translations.ts create mode 100644 x-pack/legacy/plugins/siem/public/components/news_feed/types.ts create mode 100644 x-pack/legacy/plugins/siem/public/components/page/overview/stat_value.tsx create mode 100644 x-pack/legacy/plugins/siem/public/components/page/overview/types.ts create mode 100644 x-pack/legacy/plugins/siem/public/components/recent_timelines/counts/index.tsx create mode 100644 x-pack/legacy/plugins/siem/public/components/recent_timelines/filters/index.tsx create mode 100644 x-pack/legacy/plugins/siem/public/components/recent_timelines/header/index.tsx create mode 100644 x-pack/legacy/plugins/siem/public/components/recent_timelines/helpers.ts create mode 100644 x-pack/legacy/plugins/siem/public/components/recent_timelines/index.tsx create mode 100644 x-pack/legacy/plugins/siem/public/components/recent_timelines/recent_timelines.tsx create mode 100644 x-pack/legacy/plugins/siem/public/components/recent_timelines/translations.ts create mode 100644 x-pack/legacy/plugins/siem/public/components/recent_timelines/types.ts create mode 100644 x-pack/legacy/plugins/siem/public/components/sidebar_header/index.tsx create mode 100644 x-pack/legacy/plugins/siem/public/pages/common/translations.ts create mode 100644 x-pack/legacy/plugins/siem/public/pages/overview/alerts_by_category/index.tsx create mode 100644 x-pack/legacy/plugins/siem/public/pages/overview/event_counts/index.tsx create mode 100644 x-pack/legacy/plugins/siem/public/pages/overview/events_by_dataset/index.tsx create mode 100644 x-pack/legacy/plugins/siem/public/pages/overview/overview_empty/index.tsx create mode 100644 x-pack/legacy/plugins/siem/public/pages/overview/sidebar/index.tsx create mode 100644 x-pack/legacy/plugins/siem/public/pages/overview/sidebar/sidebar.tsx create mode 100644 x-pack/legacy/plugins/siem/public/pages/overview/signals_by_category/index.tsx diff --git a/docs/development/core/public/kibana-plugin-public.doclinksstart.links.md b/docs/development/core/public/kibana-plugin-public.doclinksstart.links.md index cbda9abead9d1b..9e662c543eb56d 100644 --- a/docs/development/core/public/kibana-plugin-public.doclinksstart.links.md +++ b/docs/development/core/public/kibana-plugin-public.doclinksstart.links.md @@ -79,7 +79,10 @@ readonly links: { readonly introduction: string; }; readonly kibana: string; - readonly siem: string; + readonly siem: { + readonly guide: string; + readonly gettingStarted: string; + }; readonly query: { readonly luceneQuerySyntax: string; readonly queryDsl: string; diff --git a/docs/development/core/public/kibana-plugin-public.doclinksstart.md b/docs/development/core/public/kibana-plugin-public.doclinksstart.md index c43569e24c63e5..cefac180d88c5b 100644 --- a/docs/development/core/public/kibana-plugin-public.doclinksstart.md +++ b/docs/development/core/public/kibana-plugin-public.doclinksstart.md @@ -17,5 +17,5 @@ export interface DocLinksStart | --- | --- | --- | | [DOC\_LINK\_VERSION](./kibana-plugin-public.doclinksstart.doc_link_version.md) | string | | | [ELASTIC\_WEBSITE\_URL](./kibana-plugin-public.doclinksstart.elastic_website_url.md) | string | | -| [links](./kibana-plugin-public.doclinksstart.links.md) | {
readonly filebeat: {
readonly base: string;
readonly installation: string;
readonly configuration: string;
readonly elasticsearchOutput: string;
readonly startup: string;
readonly exportedFields: string;
};
readonly auditbeat: {
readonly base: string;
};
readonly metricbeat: {
readonly base: string;
};
readonly heartbeat: {
readonly base: string;
};
readonly logstash: {
readonly base: string;
};
readonly functionbeat: {
readonly base: string;
};
readonly winlogbeat: {
readonly base: string;
};
readonly aggs: {
readonly date_histogram: string;
readonly date_range: string;
readonly filter: string;
readonly filters: string;
readonly geohash_grid: string;
readonly histogram: string;
readonly ip_range: string;
readonly range: string;
readonly significant_terms: string;
readonly terms: string;
readonly avg: string;
readonly avg_bucket: string;
readonly max_bucket: string;
readonly min_bucket: string;
readonly sum_bucket: string;
readonly cardinality: string;
readonly count: string;
readonly cumulative_sum: string;
readonly derivative: string;
readonly geo_bounds: string;
readonly geo_centroid: string;
readonly max: string;
readonly median: string;
readonly min: string;
readonly moving_avg: string;
readonly percentile_ranks: string;
readonly serial_diff: string;
readonly std_dev: string;
readonly sum: string;
readonly top_hits: string;
};
readonly scriptedFields: {
readonly scriptFields: string;
readonly scriptAggs: string;
readonly painless: string;
readonly painlessApi: string;
readonly painlessSyntax: string;
readonly luceneExpressions: string;
};
readonly indexPatterns: {
readonly loadingData: string;
readonly introduction: string;
};
readonly kibana: string;
readonly siem: string;
readonly query: {
readonly luceneQuerySyntax: string;
readonly queryDsl: string;
readonly kueryQuerySyntax: string;
};
readonly date: {
readonly dateMath: string;
};
} | | +| [links](./kibana-plugin-public.doclinksstart.links.md) | {
readonly filebeat: {
readonly base: string;
readonly installation: string;
readonly configuration: string;
readonly elasticsearchOutput: string;
readonly startup: string;
readonly exportedFields: string;
};
readonly auditbeat: {
readonly base: string;
};
readonly metricbeat: {
readonly base: string;
};
readonly heartbeat: {
readonly base: string;
};
readonly logstash: {
readonly base: string;
};
readonly functionbeat: {
readonly base: string;
};
readonly winlogbeat: {
readonly base: string;
};
readonly aggs: {
readonly date_histogram: string;
readonly date_range: string;
readonly filter: string;
readonly filters: string;
readonly geohash_grid: string;
readonly histogram: string;
readonly ip_range: string;
readonly range: string;
readonly significant_terms: string;
readonly terms: string;
readonly avg: string;
readonly avg_bucket: string;
readonly max_bucket: string;
readonly min_bucket: string;
readonly sum_bucket: string;
readonly cardinality: string;
readonly count: string;
readonly cumulative_sum: string;
readonly derivative: string;
readonly geo_bounds: string;
readonly geo_centroid: string;
readonly max: string;
readonly median: string;
readonly min: string;
readonly moving_avg: string;
readonly percentile_ranks: string;
readonly serial_diff: string;
readonly std_dev: string;
readonly sum: string;
readonly top_hits: string;
};
readonly scriptedFields: {
readonly scriptFields: string;
readonly scriptAggs: string;
readonly painless: string;
readonly painlessApi: string;
readonly painlessSyntax: string;
readonly luceneExpressions: string;
};
readonly indexPatterns: {
readonly loadingData: string;
readonly introduction: string;
};
readonly kibana: string;
readonly siem: {
readonly guide: string;
readonly gettingStarted: string;
};
readonly query: {
readonly luceneQuerySyntax: string;
readonly queryDsl: string;
readonly kueryQuerySyntax: string;
};
readonly date: {
readonly dateMath: string;
};
} | | diff --git a/docs/development/core/public/kibana-plugin-public.md b/docs/development/core/public/kibana-plugin-public.md index 64cbdd880fed1a..27ca9f2d9fd577 100644 --- a/docs/development/core/public/kibana-plugin-public.md +++ b/docs/development/core/public/kibana-plugin-public.md @@ -1,151 +1,151 @@ - - -[Home](./index.md) > [kibana-plugin-public](./kibana-plugin-public.md) - -## kibana-plugin-public package - -The Kibana Core APIs for client-side plugins. - -A plugin's `public/index` file must contain a named import, `plugin`, that implements [PluginInitializer](./kibana-plugin-public.plugininitializer.md) which returns an object that implements [Plugin](./kibana-plugin-public.plugin.md). - -The plugin integrates with the core system via lifecycle events: `setup`, `start`, and `stop`. In each lifecycle method, the plugin will receive the corresponding core services available (either [CoreSetup](./kibana-plugin-public.coresetup.md) or [CoreStart](./kibana-plugin-public.corestart.md)) and any interfaces returned by dependency plugins' lifecycle method. Anything returned by the plugin's lifecycle method will be exposed to downstream dependencies when their corresponding lifecycle methods are invoked. - -## Classes - -| Class | Description | -| --- | --- | -| [SavedObjectsClient](./kibana-plugin-public.savedobjectsclient.md) | Saved Objects is Kibana's data persisentence mechanism allowing plugins to use Elasticsearch for storing plugin state. The client-side SavedObjectsClient is a thin convenience library around the SavedObjects HTTP API for interacting with Saved Objects. | -| [SimpleSavedObject](./kibana-plugin-public.simplesavedobject.md) | This class is a very simple wrapper for SavedObjects loaded from the server with the [SavedObjectsClient](./kibana-plugin-public.savedobjectsclient.md).It provides basic functionality for creating/saving/deleting saved objects, but doesn't include any type-specific implementations. | -| [ToastsApi](./kibana-plugin-public.toastsapi.md) | Methods for adding and removing global toast messages. | - -## Enumerations - -| Enumeration | Description | -| --- | --- | -| [AppLeaveActionType](./kibana-plugin-public.appleaveactiontype.md) | Possible type of actions on application leave. | -| [AppNavLinkStatus](./kibana-plugin-public.appnavlinkstatus.md) | Status of the application's navLink. | -| [AppStatus](./kibana-plugin-public.appstatus.md) | Accessibility status of an application. | - -## Interfaces - -| Interface | Description | -| --- | --- | -| [App](./kibana-plugin-public.app.md) | Extension of [common app properties](./kibana-plugin-public.appbase.md) with the mount function. | -| [AppBase](./kibana-plugin-public.appbase.md) | | -| [AppLeaveConfirmAction](./kibana-plugin-public.appleaveconfirmaction.md) | Action to return from a [AppLeaveHandler](./kibana-plugin-public.appleavehandler.md) to show a confirmation message when trying to leave an application.See | -| [AppLeaveDefaultAction](./kibana-plugin-public.appleavedefaultaction.md) | Action to return from a [AppLeaveHandler](./kibana-plugin-public.appleavehandler.md) to execute the default behaviour when leaving the application.See | -| [ApplicationSetup](./kibana-plugin-public.applicationsetup.md) | | -| [ApplicationStart](./kibana-plugin-public.applicationstart.md) | | -| [AppMountContext](./kibana-plugin-public.appmountcontext.md) | The context object received when applications are mounted to the DOM. Deprecated, use [CoreSetup.getStartServices()](./kibana-plugin-public.coresetup.getstartservices.md). | -| [AppMountParameters](./kibana-plugin-public.appmountparameters.md) | | -| [Capabilities](./kibana-plugin-public.capabilities.md) | The read-only set of capabilities available for the current UI session. Capabilities are simple key-value pairs of (string, boolean), where the string denotes the capability ID, and the boolean is a flag indicating if the capability is enabled or disabled. | -| [ChromeBadge](./kibana-plugin-public.chromebadge.md) | | -| [ChromeBrand](./kibana-plugin-public.chromebrand.md) | | -| [ChromeDocTitle](./kibana-plugin-public.chromedoctitle.md) | APIs for accessing and updating the document title. | -| [ChromeHelpExtension](./kibana-plugin-public.chromehelpextension.md) | | -| [ChromeNavControl](./kibana-plugin-public.chromenavcontrol.md) | | -| [ChromeNavControls](./kibana-plugin-public.chromenavcontrols.md) | [APIs](./kibana-plugin-public.chromenavcontrols.md) for registering new controls to be displayed in the navigation bar. | -| [ChromeNavLink](./kibana-plugin-public.chromenavlink.md) | | -| [ChromeNavLinks](./kibana-plugin-public.chromenavlinks.md) | [APIs](./kibana-plugin-public.chromenavlinks.md) for manipulating nav links. | -| [ChromeRecentlyAccessed](./kibana-plugin-public.chromerecentlyaccessed.md) | [APIs](./kibana-plugin-public.chromerecentlyaccessed.md) for recently accessed history. | -| [ChromeRecentlyAccessedHistoryItem](./kibana-plugin-public.chromerecentlyaccessedhistoryitem.md) | | -| [ChromeStart](./kibana-plugin-public.chromestart.md) | ChromeStart allows plugins to customize the global chrome header UI and enrich the UX with additional information about the current location of the browser. | -| [ContextSetup](./kibana-plugin-public.contextsetup.md) | An object that handles registration of context providers and configuring handlers with context. | -| [CoreSetup](./kibana-plugin-public.coresetup.md) | Core services exposed to the Plugin setup lifecycle | -| [CoreStart](./kibana-plugin-public.corestart.md) | Core services exposed to the Plugin start lifecycle | -| [DocLinksStart](./kibana-plugin-public.doclinksstart.md) | | -| [EnvironmentMode](./kibana-plugin-public.environmentmode.md) | | -| [ErrorToastOptions](./kibana-plugin-public.errortoastoptions.md) | Options available for [IToasts](./kibana-plugin-public.itoasts.md) APIs. | -| [FatalErrorInfo](./kibana-plugin-public.fatalerrorinfo.md) | Represents the message and stack of a fatal Error | -| [FatalErrorsSetup](./kibana-plugin-public.fatalerrorssetup.md) | FatalErrors stop the Kibana Public Core and displays a fatal error screen with details about the Kibana build and the error. | -| [HttpErrorRequest](./kibana-plugin-public.httperrorrequest.md) | | -| [HttpErrorResponse](./kibana-plugin-public.httperrorresponse.md) | | -| [HttpFetchOptions](./kibana-plugin-public.httpfetchoptions.md) | All options that may be used with a [HttpHandler](./kibana-plugin-public.httphandler.md). | -| [HttpFetchQuery](./kibana-plugin-public.httpfetchquery.md) | | -| [HttpHandler](./kibana-plugin-public.httphandler.md) | A function for making an HTTP requests to Kibana's backend. See [HttpFetchOptions](./kibana-plugin-public.httpfetchoptions.md) for options and [IHttpResponse](./kibana-plugin-public.ihttpresponse.md) for the response. | -| [HttpHeadersInit](./kibana-plugin-public.httpheadersinit.md) | | -| [HttpInterceptor](./kibana-plugin-public.httpinterceptor.md) | An object that may define global interceptor functions for different parts of the request and response lifecycle. See [IHttpInterceptController](./kibana-plugin-public.ihttpinterceptcontroller.md). | -| [HttpRequestInit](./kibana-plugin-public.httprequestinit.md) | Fetch API options available to [HttpHandler](./kibana-plugin-public.httphandler.md)s. | -| [HttpSetup](./kibana-plugin-public.httpsetup.md) | | -| [I18nStart](./kibana-plugin-public.i18nstart.md) | I18nStart.Context is required by any localizable React component from @kbn/i18n and @elastic/eui packages and is supposed to be used as the topmost component for any i18n-compatible React tree. | -| [IAnonymousPaths](./kibana-plugin-public.ianonymouspaths.md) | APIs for denoting paths as not requiring authentication | -| [IBasePath](./kibana-plugin-public.ibasepath.md) | APIs for manipulating the basePath on URL segments. | -| [IContextContainer](./kibana-plugin-public.icontextcontainer.md) | An object that handles registration of context providers and configuring handlers with context. | -| [IHttpFetchError](./kibana-plugin-public.ihttpfetcherror.md) | | -| [IHttpInterceptController](./kibana-plugin-public.ihttpinterceptcontroller.md) | Used to halt a request Promise chain in a [HttpInterceptor](./kibana-plugin-public.httpinterceptor.md). | -| [IHttpResponse](./kibana-plugin-public.ihttpresponse.md) | | -| [IHttpResponseInterceptorOverrides](./kibana-plugin-public.ihttpresponseinterceptoroverrides.md) | Properties that can be returned by HttpInterceptor.request to override the response. | -| [IUiSettingsClient](./kibana-plugin-public.iuisettingsclient.md) | Client-side client that provides access to the advanced settings stored in elasticsearch. The settings provide control over the behavior of the Kibana application. For example, a user can specify how to display numeric or date fields. Users can adjust the settings via Management UI. [IUiSettingsClient](./kibana-plugin-public.iuisettingsclient.md) | -| [LegacyCoreSetup](./kibana-plugin-public.legacycoresetup.md) | Setup interface exposed to the legacy platform via the ui/new_platform module. | -| [LegacyCoreStart](./kibana-plugin-public.legacycorestart.md) | Start interface exposed to the legacy platform via the ui/new_platform module. | -| [LegacyNavLink](./kibana-plugin-public.legacynavlink.md) | | -| [NotificationsSetup](./kibana-plugin-public.notificationssetup.md) | | -| [NotificationsStart](./kibana-plugin-public.notificationsstart.md) | | -| [OverlayBannersStart](./kibana-plugin-public.overlaybannersstart.md) | | -| [OverlayRef](./kibana-plugin-public.overlayref.md) | Returned by [OverlayStart](./kibana-plugin-public.overlaystart.md) methods for closing a mounted overlay. | -| [OverlayStart](./kibana-plugin-public.overlaystart.md) | | -| [PackageInfo](./kibana-plugin-public.packageinfo.md) | | -| [Plugin](./kibana-plugin-public.plugin.md) | The interface that should be returned by a PluginInitializer. | -| [PluginInitializerContext](./kibana-plugin-public.plugininitializercontext.md) | The available core services passed to a PluginInitializer | -| [SavedObject](./kibana-plugin-public.savedobject.md) | | -| [SavedObjectAttributes](./kibana-plugin-public.savedobjectattributes.md) | The data for a Saved Object is stored as an object in the attributes property. | -| [SavedObjectReference](./kibana-plugin-public.savedobjectreference.md) | A reference to another saved object. | -| [SavedObjectsBaseOptions](./kibana-plugin-public.savedobjectsbaseoptions.md) | | -| [SavedObjectsBatchResponse](./kibana-plugin-public.savedobjectsbatchresponse.md) | | -| [SavedObjectsBulkCreateObject](./kibana-plugin-public.savedobjectsbulkcreateobject.md) | | -| [SavedObjectsBulkCreateOptions](./kibana-plugin-public.savedobjectsbulkcreateoptions.md) | | -| [SavedObjectsBulkUpdateObject](./kibana-plugin-public.savedobjectsbulkupdateobject.md) | | -| [SavedObjectsBulkUpdateOptions](./kibana-plugin-public.savedobjectsbulkupdateoptions.md) | | -| [SavedObjectsCreateOptions](./kibana-plugin-public.savedobjectscreateoptions.md) | | -| [SavedObjectsFindOptions](./kibana-plugin-public.savedobjectsfindoptions.md) | | -| [SavedObjectsFindResponsePublic](./kibana-plugin-public.savedobjectsfindresponsepublic.md) | Return type of the Saved Objects find() method.\*Note\*: this type is different between the Public and Server Saved Objects clients. | -| [SavedObjectsImportConflictError](./kibana-plugin-public.savedobjectsimportconflicterror.md) | Represents a failure to import due to a conflict. | -| [SavedObjectsImportError](./kibana-plugin-public.savedobjectsimporterror.md) | Represents a failure to import. | -| [SavedObjectsImportMissingReferencesError](./kibana-plugin-public.savedobjectsimportmissingreferenceserror.md) | Represents a failure to import due to missing references. | -| [SavedObjectsImportResponse](./kibana-plugin-public.savedobjectsimportresponse.md) | The response describing the result of an import. | -| [SavedObjectsImportRetry](./kibana-plugin-public.savedobjectsimportretry.md) | Describes a retry operation for importing a saved object. | -| [SavedObjectsImportUnknownError](./kibana-plugin-public.savedobjectsimportunknownerror.md) | Represents a failure to import due to an unknown reason. | -| [SavedObjectsImportUnsupportedTypeError](./kibana-plugin-public.savedobjectsimportunsupportedtypeerror.md) | Represents a failure to import due to having an unsupported saved object type. | -| [SavedObjectsMigrationVersion](./kibana-plugin-public.savedobjectsmigrationversion.md) | Information about the migrations that have been applied to this SavedObject. When Kibana starts up, KibanaMigrator detects outdated documents and migrates them based on this value. For each migration that has been applied, the plugin's name is used as a key and the latest migration version as the value. | -| [SavedObjectsStart](./kibana-plugin-public.savedobjectsstart.md) | | -| [SavedObjectsUpdateOptions](./kibana-plugin-public.savedobjectsupdateoptions.md) | | -| [UiSettingsState](./kibana-plugin-public.uisettingsstate.md) | | - -## Type Aliases - -| Type Alias | Description | -| --- | --- | -| [AppLeaveAction](./kibana-plugin-public.appleaveaction.md) | Possible actions to return from a [AppLeaveHandler](./kibana-plugin-public.appleavehandler.md)See [AppLeaveConfirmAction](./kibana-plugin-public.appleaveconfirmaction.md) and [AppLeaveDefaultAction](./kibana-plugin-public.appleavedefaultaction.md) | -| [AppLeaveHandler](./kibana-plugin-public.appleavehandler.md) | A handler that will be executed before leaving the application, either when going to another application or when closing the browser tab or manually changing the url. Should return confirm to to prompt a message to the user before leaving the page, or default to keep the default behavior (doing nothing).See [AppMountParameters](./kibana-plugin-public.appmountparameters.md) for detailed usage examples. | -| [AppMount](./kibana-plugin-public.appmount.md) | A mount function called when the user navigates to this app's route. | -| [AppMountDeprecated](./kibana-plugin-public.appmountdeprecated.md) | A mount function called when the user navigates to this app's route. | -| [AppUnmount](./kibana-plugin-public.appunmount.md) | A function called when an application should be unmounted from the page. This function should be synchronous. | -| [AppUpdatableFields](./kibana-plugin-public.appupdatablefields.md) | Defines the list of fields that can be updated via an [AppUpdater](./kibana-plugin-public.appupdater.md). | -| [AppUpdater](./kibana-plugin-public.appupdater.md) | Updater for applications. see [ApplicationSetup](./kibana-plugin-public.applicationsetup.md) | -| [ChromeBreadcrumb](./kibana-plugin-public.chromebreadcrumb.md) | | -| [ChromeHelpExtensionMenuCustomLink](./kibana-plugin-public.chromehelpextensionmenucustomlink.md) | | -| [ChromeHelpExtensionMenuDiscussLink](./kibana-plugin-public.chromehelpextensionmenudiscusslink.md) | | -| [ChromeHelpExtensionMenuDocumentationLink](./kibana-plugin-public.chromehelpextensionmenudocumentationlink.md) | | -| [ChromeHelpExtensionMenuGitHubLink](./kibana-plugin-public.chromehelpextensionmenugithublink.md) | | -| [ChromeHelpExtensionMenuLink](./kibana-plugin-public.chromehelpextensionmenulink.md) | | -| [ChromeNavLinkUpdateableFields](./kibana-plugin-public.chromenavlinkupdateablefields.md) | | -| [HandlerContextType](./kibana-plugin-public.handlercontexttype.md) | Extracts the type of the first argument of a [HandlerFunction](./kibana-plugin-public.handlerfunction.md) to represent the type of the context. | -| [HandlerFunction](./kibana-plugin-public.handlerfunction.md) | A function that accepts a context object and an optional number of additional arguments. Used for the generic types in [IContextContainer](./kibana-plugin-public.icontextcontainer.md) | -| [HandlerParameters](./kibana-plugin-public.handlerparameters.md) | Extracts the types of the additional arguments of a [HandlerFunction](./kibana-plugin-public.handlerfunction.md), excluding the [HandlerContextType](./kibana-plugin-public.handlercontexttype.md). | -| [HttpStart](./kibana-plugin-public.httpstart.md) | See [HttpSetup](./kibana-plugin-public.httpsetup.md) | -| [IContextProvider](./kibana-plugin-public.icontextprovider.md) | A function that returns a context value for a specific key of given context type. | -| [IToasts](./kibana-plugin-public.itoasts.md) | Methods for adding and removing global toast messages. See [ToastsApi](./kibana-plugin-public.toastsapi.md). | -| [MountPoint](./kibana-plugin-public.mountpoint.md) | A function that should mount DOM content inside the provided container element and return a handler to unmount it. | -| [PluginInitializer](./kibana-plugin-public.plugininitializer.md) | The plugin export at the root of a plugin's public directory should conform to this interface. | -| [PluginOpaqueId](./kibana-plugin-public.pluginopaqueid.md) | | -| [RecursiveReadonly](./kibana-plugin-public.recursivereadonly.md) | | -| [SavedObjectAttribute](./kibana-plugin-public.savedobjectattribute.md) | Type definition for a Saved Object attribute value | -| [SavedObjectAttributeSingle](./kibana-plugin-public.savedobjectattributesingle.md) | Don't use this type, it's simply a helper type for [SavedObjectAttribute](./kibana-plugin-public.savedobjectattribute.md) | -| [SavedObjectsClientContract](./kibana-plugin-public.savedobjectsclientcontract.md) | SavedObjectsClientContract as implemented by the [SavedObjectsClient](./kibana-plugin-public.savedobjectsclient.md) | -| [Toast](./kibana-plugin-public.toast.md) | | -| [ToastInput](./kibana-plugin-public.toastinput.md) | Inputs for [IToasts](./kibana-plugin-public.itoasts.md) APIs. | -| [ToastInputFields](./kibana-plugin-public.toastinputfields.md) | Allowed fields for [ToastInput](./kibana-plugin-public.toastinput.md). | -| [ToastsSetup](./kibana-plugin-public.toastssetup.md) | [IToasts](./kibana-plugin-public.itoasts.md) | -| [ToastsStart](./kibana-plugin-public.toastsstart.md) | [IToasts](./kibana-plugin-public.itoasts.md) | -| [UnmountCallback](./kibana-plugin-public.unmountcallback.md) | A function that will unmount the element previously mounted by the associated [MountPoint](./kibana-plugin-public.mountpoint.md) | - + + +[Home](./index.md) > [kibana-plugin-public](./kibana-plugin-public.md) + +## kibana-plugin-public package + +The Kibana Core APIs for client-side plugins. + +A plugin's `public/index` file must contain a named import, `plugin`, that implements [PluginInitializer](./kibana-plugin-public.plugininitializer.md) which returns an object that implements [Plugin](./kibana-plugin-public.plugin.md). + +The plugin integrates with the core system via lifecycle events: `setup`, `start`, and `stop`. In each lifecycle method, the plugin will receive the corresponding core services available (either [CoreSetup](./kibana-plugin-public.coresetup.md) or [CoreStart](./kibana-plugin-public.corestart.md)) and any interfaces returned by dependency plugins' lifecycle method. Anything returned by the plugin's lifecycle method will be exposed to downstream dependencies when their corresponding lifecycle methods are invoked. + +## Classes + +| Class | Description | +| --- | --- | +| [SavedObjectsClient](./kibana-plugin-public.savedobjectsclient.md) | Saved Objects is Kibana's data persisentence mechanism allowing plugins to use Elasticsearch for storing plugin state. The client-side SavedObjectsClient is a thin convenience library around the SavedObjects HTTP API for interacting with Saved Objects. | +| [SimpleSavedObject](./kibana-plugin-public.simplesavedobject.md) | This class is a very simple wrapper for SavedObjects loaded from the server with the [SavedObjectsClient](./kibana-plugin-public.savedobjectsclient.md).It provides basic functionality for creating/saving/deleting saved objects, but doesn't include any type-specific implementations. | +| [ToastsApi](./kibana-plugin-public.toastsapi.md) | Methods for adding and removing global toast messages. | + +## Enumerations + +| Enumeration | Description | +| --- | --- | +| [AppLeaveActionType](./kibana-plugin-public.appleaveactiontype.md) | Possible type of actions on application leave. | +| [AppNavLinkStatus](./kibana-plugin-public.appnavlinkstatus.md) | Status of the application's navLink. | +| [AppStatus](./kibana-plugin-public.appstatus.md) | Accessibility status of an application. | + +## Interfaces + +| Interface | Description | +| --- | --- | +| [App](./kibana-plugin-public.app.md) | Extension of [common app properties](./kibana-plugin-public.appbase.md) with the mount function. | +| [AppBase](./kibana-plugin-public.appbase.md) | | +| [AppLeaveConfirmAction](./kibana-plugin-public.appleaveconfirmaction.md) | Action to return from a [AppLeaveHandler](./kibana-plugin-public.appleavehandler.md) to show a confirmation message when trying to leave an application.See | +| [AppLeaveDefaultAction](./kibana-plugin-public.appleavedefaultaction.md) | Action to return from a [AppLeaveHandler](./kibana-plugin-public.appleavehandler.md) to execute the default behaviour when leaving the application.See | +| [ApplicationSetup](./kibana-plugin-public.applicationsetup.md) | | +| [ApplicationStart](./kibana-plugin-public.applicationstart.md) | | +| [AppMountContext](./kibana-plugin-public.appmountcontext.md) | The context object received when applications are mounted to the DOM. Deprecated, use [CoreSetup.getStartServices()](./kibana-plugin-public.coresetup.getstartservices.md). | +| [AppMountParameters](./kibana-plugin-public.appmountparameters.md) | | +| [Capabilities](./kibana-plugin-public.capabilities.md) | The read-only set of capabilities available for the current UI session. Capabilities are simple key-value pairs of (string, boolean), where the string denotes the capability ID, and the boolean is a flag indicating if the capability is enabled or disabled. | +| [ChromeBadge](./kibana-plugin-public.chromebadge.md) | | +| [ChromeBrand](./kibana-plugin-public.chromebrand.md) | | +| [ChromeDocTitle](./kibana-plugin-public.chromedoctitle.md) | APIs for accessing and updating the document title. | +| [ChromeHelpExtension](./kibana-plugin-public.chromehelpextension.md) | | +| [ChromeNavControl](./kibana-plugin-public.chromenavcontrol.md) | | +| [ChromeNavControls](./kibana-plugin-public.chromenavcontrols.md) | [APIs](./kibana-plugin-public.chromenavcontrols.md) for registering new controls to be displayed in the navigation bar. | +| [ChromeNavLink](./kibana-plugin-public.chromenavlink.md) | | +| [ChromeNavLinks](./kibana-plugin-public.chromenavlinks.md) | [APIs](./kibana-plugin-public.chromenavlinks.md) for manipulating nav links. | +| [ChromeRecentlyAccessed](./kibana-plugin-public.chromerecentlyaccessed.md) | [APIs](./kibana-plugin-public.chromerecentlyaccessed.md) for recently accessed history. | +| [ChromeRecentlyAccessedHistoryItem](./kibana-plugin-public.chromerecentlyaccessedhistoryitem.md) | | +| [ChromeStart](./kibana-plugin-public.chromestart.md) | ChromeStart allows plugins to customize the global chrome header UI and enrich the UX with additional information about the current location of the browser. | +| [ContextSetup](./kibana-plugin-public.contextsetup.md) | An object that handles registration of context providers and configuring handlers with context. | +| [CoreSetup](./kibana-plugin-public.coresetup.md) | Core services exposed to the Plugin setup lifecycle | +| [CoreStart](./kibana-plugin-public.corestart.md) | Core services exposed to the Plugin start lifecycle | +| [DocLinksStart](./kibana-plugin-public.doclinksstart.md) | | +| [EnvironmentMode](./kibana-plugin-public.environmentmode.md) | | +| [ErrorToastOptions](./kibana-plugin-public.errortoastoptions.md) | Options available for [IToasts](./kibana-plugin-public.itoasts.md) APIs. | +| [FatalErrorInfo](./kibana-plugin-public.fatalerrorinfo.md) | Represents the message and stack of a fatal Error | +| [FatalErrorsSetup](./kibana-plugin-public.fatalerrorssetup.md) | FatalErrors stop the Kibana Public Core and displays a fatal error screen with details about the Kibana build and the error. | +| [HttpErrorRequest](./kibana-plugin-public.httperrorrequest.md) | | +| [HttpErrorResponse](./kibana-plugin-public.httperrorresponse.md) | | +| [HttpFetchOptions](./kibana-plugin-public.httpfetchoptions.md) | All options that may be used with a [HttpHandler](./kibana-plugin-public.httphandler.md). | +| [HttpFetchQuery](./kibana-plugin-public.httpfetchquery.md) | | +| [HttpHandler](./kibana-plugin-public.httphandler.md) | A function for making an HTTP requests to Kibana's backend. See [HttpFetchOptions](./kibana-plugin-public.httpfetchoptions.md) for options and [IHttpResponse](./kibana-plugin-public.ihttpresponse.md) for the response. | +| [HttpHeadersInit](./kibana-plugin-public.httpheadersinit.md) | | +| [HttpInterceptor](./kibana-plugin-public.httpinterceptor.md) | An object that may define global interceptor functions for different parts of the request and response lifecycle. See [IHttpInterceptController](./kibana-plugin-public.ihttpinterceptcontroller.md). | +| [HttpRequestInit](./kibana-plugin-public.httprequestinit.md) | Fetch API options available to [HttpHandler](./kibana-plugin-public.httphandler.md)s. | +| [HttpSetup](./kibana-plugin-public.httpsetup.md) | | +| [I18nStart](./kibana-plugin-public.i18nstart.md) | I18nStart.Context is required by any localizable React component from @kbn/i18n and @elastic/eui packages and is supposed to be used as the topmost component for any i18n-compatible React tree. | +| [IAnonymousPaths](./kibana-plugin-public.ianonymouspaths.md) | APIs for denoting paths as not requiring authentication | +| [IBasePath](./kibana-plugin-public.ibasepath.md) | APIs for manipulating the basePath on URL segments. | +| [IContextContainer](./kibana-plugin-public.icontextcontainer.md) | An object that handles registration of context providers and configuring handlers with context. | +| [IHttpFetchError](./kibana-plugin-public.ihttpfetcherror.md) | | +| [IHttpInterceptController](./kibana-plugin-public.ihttpinterceptcontroller.md) | Used to halt a request Promise chain in a [HttpInterceptor](./kibana-plugin-public.httpinterceptor.md). | +| [IHttpResponse](./kibana-plugin-public.ihttpresponse.md) | | +| [IHttpResponseInterceptorOverrides](./kibana-plugin-public.ihttpresponseinterceptoroverrides.md) | Properties that can be returned by HttpInterceptor.request to override the response. | +| [IUiSettingsClient](./kibana-plugin-public.iuisettingsclient.md) | Client-side client that provides access to the advanced settings stored in elasticsearch. The settings provide control over the behavior of the Kibana application. For example, a user can specify how to display numeric or date fields. Users can adjust the settings via Management UI. [IUiSettingsClient](./kibana-plugin-public.iuisettingsclient.md) | +| [LegacyCoreSetup](./kibana-plugin-public.legacycoresetup.md) | Setup interface exposed to the legacy platform via the ui/new_platform module. | +| [LegacyCoreStart](./kibana-plugin-public.legacycorestart.md) | Start interface exposed to the legacy platform via the ui/new_platform module. | +| [LegacyNavLink](./kibana-plugin-public.legacynavlink.md) | | +| [NotificationsSetup](./kibana-plugin-public.notificationssetup.md) | | +| [NotificationsStart](./kibana-plugin-public.notificationsstart.md) | | +| [OverlayBannersStart](./kibana-plugin-public.overlaybannersstart.md) | | +| [OverlayRef](./kibana-plugin-public.overlayref.md) | Returned by [OverlayStart](./kibana-plugin-public.overlaystart.md) methods for closing a mounted overlay. | +| [OverlayStart](./kibana-plugin-public.overlaystart.md) | | +| [PackageInfo](./kibana-plugin-public.packageinfo.md) | | +| [Plugin](./kibana-plugin-public.plugin.md) | The interface that should be returned by a PluginInitializer. | +| [PluginInitializerContext](./kibana-plugin-public.plugininitializercontext.md) | The available core services passed to a PluginInitializer | +| [SavedObject](./kibana-plugin-public.savedobject.md) | | +| [SavedObjectAttributes](./kibana-plugin-public.savedobjectattributes.md) | The data for a Saved Object is stored as an object in the attributes property. | +| [SavedObjectReference](./kibana-plugin-public.savedobjectreference.md) | A reference to another saved object. | +| [SavedObjectsBaseOptions](./kibana-plugin-public.savedobjectsbaseoptions.md) | | +| [SavedObjectsBatchResponse](./kibana-plugin-public.savedobjectsbatchresponse.md) | | +| [SavedObjectsBulkCreateObject](./kibana-plugin-public.savedobjectsbulkcreateobject.md) | | +| [SavedObjectsBulkCreateOptions](./kibana-plugin-public.savedobjectsbulkcreateoptions.md) | | +| [SavedObjectsBulkUpdateObject](./kibana-plugin-public.savedobjectsbulkupdateobject.md) | | +| [SavedObjectsBulkUpdateOptions](./kibana-plugin-public.savedobjectsbulkupdateoptions.md) | | +| [SavedObjectsCreateOptions](./kibana-plugin-public.savedobjectscreateoptions.md) | | +| [SavedObjectsFindOptions](./kibana-plugin-public.savedobjectsfindoptions.md) | | +| [SavedObjectsFindResponsePublic](./kibana-plugin-public.savedobjectsfindresponsepublic.md) | Return type of the Saved Objects find() method.\*Note\*: this type is different between the Public and Server Saved Objects clients. | +| [SavedObjectsImportConflictError](./kibana-plugin-public.savedobjectsimportconflicterror.md) | Represents a failure to import due to a conflict. | +| [SavedObjectsImportError](./kibana-plugin-public.savedobjectsimporterror.md) | Represents a failure to import. | +| [SavedObjectsImportMissingReferencesError](./kibana-plugin-public.savedobjectsimportmissingreferenceserror.md) | Represents a failure to import due to missing references. | +| [SavedObjectsImportResponse](./kibana-plugin-public.savedobjectsimportresponse.md) | The response describing the result of an import. | +| [SavedObjectsImportRetry](./kibana-plugin-public.savedobjectsimportretry.md) | Describes a retry operation for importing a saved object. | +| [SavedObjectsImportUnknownError](./kibana-plugin-public.savedobjectsimportunknownerror.md) | Represents a failure to import due to an unknown reason. | +| [SavedObjectsImportUnsupportedTypeError](./kibana-plugin-public.savedobjectsimportunsupportedtypeerror.md) | Represents a failure to import due to having an unsupported saved object type. | +| [SavedObjectsMigrationVersion](./kibana-plugin-public.savedobjectsmigrationversion.md) | Information about the migrations that have been applied to this SavedObject. When Kibana starts up, KibanaMigrator detects outdated documents and migrates them based on this value. For each migration that has been applied, the plugin's name is used as a key and the latest migration version as the value. | +| [SavedObjectsStart](./kibana-plugin-public.savedobjectsstart.md) | | +| [SavedObjectsUpdateOptions](./kibana-plugin-public.savedobjectsupdateoptions.md) | | +| [UiSettingsState](./kibana-plugin-public.uisettingsstate.md) | | + +## Type Aliases + +| Type Alias | Description | +| --- | --- | +| [AppLeaveAction](./kibana-plugin-public.appleaveaction.md) | Possible actions to return from a [AppLeaveHandler](./kibana-plugin-public.appleavehandler.md)See [AppLeaveConfirmAction](./kibana-plugin-public.appleaveconfirmaction.md) and [AppLeaveDefaultAction](./kibana-plugin-public.appleavedefaultaction.md) | +| [AppLeaveHandler](./kibana-plugin-public.appleavehandler.md) | A handler that will be executed before leaving the application, either when going to another application or when closing the browser tab or manually changing the url. Should return confirm to to prompt a message to the user before leaving the page, or default to keep the default behavior (doing nothing).See [AppMountParameters](./kibana-plugin-public.appmountparameters.md) for detailed usage examples. | +| [AppMount](./kibana-plugin-public.appmount.md) | A mount function called when the user navigates to this app's route. | +| [AppMountDeprecated](./kibana-plugin-public.appmountdeprecated.md) | A mount function called when the user navigates to this app's route. | +| [AppUnmount](./kibana-plugin-public.appunmount.md) | A function called when an application should be unmounted from the page. This function should be synchronous. | +| [AppUpdatableFields](./kibana-plugin-public.appupdatablefields.md) | Defines the list of fields that can be updated via an [AppUpdater](./kibana-plugin-public.appupdater.md). | +| [AppUpdater](./kibana-plugin-public.appupdater.md) | Updater for applications. see [ApplicationSetup](./kibana-plugin-public.applicationsetup.md) | +| [ChromeBreadcrumb](./kibana-plugin-public.chromebreadcrumb.md) | | +| [ChromeHelpExtensionMenuCustomLink](./kibana-plugin-public.chromehelpextensionmenucustomlink.md) | | +| [ChromeHelpExtensionMenuDiscussLink](./kibana-plugin-public.chromehelpextensionmenudiscusslink.md) | | +| [ChromeHelpExtensionMenuDocumentationLink](./kibana-plugin-public.chromehelpextensionmenudocumentationlink.md) | | +| [ChromeHelpExtensionMenuGitHubLink](./kibana-plugin-public.chromehelpextensionmenugithublink.md) | | +| [ChromeHelpExtensionMenuLink](./kibana-plugin-public.chromehelpextensionmenulink.md) | | +| [ChromeNavLinkUpdateableFields](./kibana-plugin-public.chromenavlinkupdateablefields.md) | | +| [HandlerContextType](./kibana-plugin-public.handlercontexttype.md) | Extracts the type of the first argument of a [HandlerFunction](./kibana-plugin-public.handlerfunction.md) to represent the type of the context. | +| [HandlerFunction](./kibana-plugin-public.handlerfunction.md) | A function that accepts a context object and an optional number of additional arguments. Used for the generic types in [IContextContainer](./kibana-plugin-public.icontextcontainer.md) | +| [HandlerParameters](./kibana-plugin-public.handlerparameters.md) | Extracts the types of the additional arguments of a [HandlerFunction](./kibana-plugin-public.handlerfunction.md), excluding the [HandlerContextType](./kibana-plugin-public.handlercontexttype.md). | +| [HttpStart](./kibana-plugin-public.httpstart.md) | See [HttpSetup](./kibana-plugin-public.httpsetup.md) | +| [IContextProvider](./kibana-plugin-public.icontextprovider.md) | A function that returns a context value for a specific key of given context type. | +| [IToasts](./kibana-plugin-public.itoasts.md) | Methods for adding and removing global toast messages. See [ToastsApi](./kibana-plugin-public.toastsapi.md). | +| [MountPoint](./kibana-plugin-public.mountpoint.md) | A function that should mount DOM content inside the provided container element and return a handler to unmount it. | +| [PluginInitializer](./kibana-plugin-public.plugininitializer.md) | The plugin export at the root of a plugin's public directory should conform to this interface. | +| [PluginOpaqueId](./kibana-plugin-public.pluginopaqueid.md) | | +| [RecursiveReadonly](./kibana-plugin-public.recursivereadonly.md) | | +| [SavedObjectAttribute](./kibana-plugin-public.savedobjectattribute.md) | Type definition for a Saved Object attribute value | +| [SavedObjectAttributeSingle](./kibana-plugin-public.savedobjectattributesingle.md) | Don't use this type, it's simply a helper type for [SavedObjectAttribute](./kibana-plugin-public.savedobjectattribute.md) | +| [SavedObjectsClientContract](./kibana-plugin-public.savedobjectsclientcontract.md) | SavedObjectsClientContract as implemented by the [SavedObjectsClient](./kibana-plugin-public.savedobjectsclient.md) | +| [Toast](./kibana-plugin-public.toast.md) | | +| [ToastInput](./kibana-plugin-public.toastinput.md) | Inputs for [IToasts](./kibana-plugin-public.itoasts.md) APIs. | +| [ToastInputFields](./kibana-plugin-public.toastinputfields.md) | Allowed fields for [ToastInput](./kibana-plugin-public.toastinput.md). | +| [ToastsSetup](./kibana-plugin-public.toastssetup.md) | [IToasts](./kibana-plugin-public.itoasts.md) | +| [ToastsStart](./kibana-plugin-public.toastsstart.md) | [IToasts](./kibana-plugin-public.itoasts.md) | +| [UnmountCallback](./kibana-plugin-public.unmountcallback.md) | A function that will unmount the element previously mounted by the associated [MountPoint](./kibana-plugin-public.mountpoint.md) | + diff --git a/docs/management/advanced-options.asciidoc b/docs/management/advanced-options.asciidoc index 757c6f10f2a999..695a4d4f45b021 100644 --- a/docs/management/advanced-options.asciidoc +++ b/docs/management/advanced-options.asciidoc @@ -217,6 +217,8 @@ might increase the search time. This setting is off by default. Users must opt-i [horizontal] `siem:defaultAnomalyScore`:: The threshold above which Machine Learning job anomalies are displayed in the SIEM app. `siem:defaultIndex`:: A comma-delimited list of Elasticsearch indices from which the SIEM app collects events. +`siem:enableNewsFeed`:: Enables the News feed +`siem:newsFeedUrl`:: News feed content will be retrieved from this URL `siem:refreshIntervalDefaults`:: The default refresh interval for the SIEM time filter, in milliseconds. `siem:timeDefaults`:: The default period of time in the SIEM time filter. diff --git a/src/core/public/doc_links/doc_links_service.ts b/src/core/public/doc_links/doc_links_service.ts index 36b220f16f3950..1046f7a17dc518 100644 --- a/src/core/public/doc_links/doc_links_service.ts +++ b/src/core/public/doc_links/doc_links_service.ts @@ -106,7 +106,10 @@ export class DocLinksService { introduction: `${ELASTIC_WEBSITE_URL}guide/en/kibana/${DOC_LINK_VERSION}/index-patterns.html`, }, kibana: `${ELASTIC_WEBSITE_URL}guide/en/kibana/${DOC_LINK_VERSION}/index.html`, - siem: `${ELASTIC_WEBSITE_URL}guide/en/siem/guide/${DOC_LINK_VERSION}/index.html`, + siem: { + guide: `${ELASTIC_WEBSITE_URL}guide/en/siem/guide/${DOC_LINK_VERSION}/index.html`, + gettingStarted: `${ELASTIC_WEBSITE_URL}guide/en/siem/guide/${DOC_LINK_VERSION}/install-siem.html`, + }, query: { luceneQuerySyntax: `${ELASTICSEARCH_DOCS}query-dsl-query-string-query.html#query-string-syntax`, queryDsl: `${ELASTICSEARCH_DOCS}query-dsl.html`, @@ -199,7 +202,10 @@ export interface DocLinksStart { readonly introduction: string; }; readonly kibana: string; - readonly siem: string; + readonly siem: { + readonly guide: string; + readonly gettingStarted: string; + }; readonly query: { readonly luceneQuerySyntax: string; readonly queryDsl: string; diff --git a/src/core/public/public.api.md b/src/core/public/public.api.md index aef689162f45a2..610b08708c6812 100644 --- a/src/core/public/public.api.md +++ b/src/core/public/public.api.md @@ -486,7 +486,10 @@ export interface DocLinksStart { readonly introduction: string; }; readonly kibana: string; - readonly siem: string; + readonly siem: { + readonly guide: string; + readonly gettingStarted: string; + }; readonly query: { readonly luceneQuerySyntax: string; readonly queryDsl: string; diff --git a/src/plugins/data/public/ui/query_string_input/__snapshots__/language_switcher.test.tsx.snap b/src/plugins/data/public/ui/query_string_input/__snapshots__/language_switcher.test.tsx.snap index 4ec29ca409b80b..6432f8049641ae 100644 --- a/src/plugins/data/public/ui/query_string_input/__snapshots__/language_switcher.test.tsx.snap +++ b/src/plugins/data/public/ui/query_string_input/__snapshots__/language_switcher.test.tsx.snap @@ -189,7 +189,10 @@ exports[`LanguageSwitcher should toggle off if language is lucene 1`] = ` "scriptAggs": "https://www.elastic.co/guide/en/elasticsearch/reference/mocked-test-branch/search-aggregations.html#_values_source", "scriptFields": "https://www.elastic.co/guide/en/elasticsearch/reference/mocked-test-branch/search-request-script-fields.html", }, - "siem": "https://www.elastic.co/guide/en/siem/guide/mocked-test-branch/index.html", + "siem": Object { + "gettingStarted": "https://www.elastic.co/guide/en/siem/guide/mocked-test-branch/install-siem.html", + "guide": "https://www.elastic.co/guide/en/siem/guide/mocked-test-branch/index.html", + }, "winlogbeat": Object { "base": "https://www.elastic.co/guide/en/beats/winlogbeat/mocked-test-branch", }, @@ -482,7 +485,10 @@ exports[`LanguageSwitcher should toggle on if language is kuery 1`] = ` "scriptAggs": "https://www.elastic.co/guide/en/elasticsearch/reference/mocked-test-branch/search-aggregations.html#_values_source", "scriptFields": "https://www.elastic.co/guide/en/elasticsearch/reference/mocked-test-branch/search-request-script-fields.html", }, - "siem": "https://www.elastic.co/guide/en/siem/guide/mocked-test-branch/index.html", + "siem": Object { + "gettingStarted": "https://www.elastic.co/guide/en/siem/guide/mocked-test-branch/install-siem.html", + "guide": "https://www.elastic.co/guide/en/siem/guide/mocked-test-branch/index.html", + }, "winlogbeat": Object { "base": "https://www.elastic.co/guide/en/beats/winlogbeat/mocked-test-branch", }, diff --git a/src/plugins/data/public/ui/query_string_input/__snapshots__/query_string_input.test.tsx.snap b/src/plugins/data/public/ui/query_string_input/__snapshots__/query_string_input.test.tsx.snap index 4c8edd85eb559a..1fb39710f67548 100644 --- a/src/plugins/data/public/ui/query_string_input/__snapshots__/query_string_input.test.tsx.snap +++ b/src/plugins/data/public/ui/query_string_input/__snapshots__/query_string_input.test.tsx.snap @@ -295,7 +295,10 @@ exports[`QueryStringInput Should disable autoFocus on EuiFieldText when disableA "scriptAggs": "https://www.elastic.co/guide/en/elasticsearch/reference/mocked-test-branch/search-aggregations.html#_values_source", "scriptFields": "https://www.elastic.co/guide/en/elasticsearch/reference/mocked-test-branch/search-request-script-fields.html", }, - "siem": "https://www.elastic.co/guide/en/siem/guide/mocked-test-branch/index.html", + "siem": Object { + "gettingStarted": "https://www.elastic.co/guide/en/siem/guide/mocked-test-branch/install-siem.html", + "guide": "https://www.elastic.co/guide/en/siem/guide/mocked-test-branch/index.html", + }, "winlogbeat": Object { "base": "https://www.elastic.co/guide/en/beats/winlogbeat/mocked-test-branch", }, @@ -918,7 +921,10 @@ exports[`QueryStringInput Should disable autoFocus on EuiFieldText when disableA "scriptAggs": "https://www.elastic.co/guide/en/elasticsearch/reference/mocked-test-branch/search-aggregations.html#_values_source", "scriptFields": "https://www.elastic.co/guide/en/elasticsearch/reference/mocked-test-branch/search-request-script-fields.html", }, - "siem": "https://www.elastic.co/guide/en/siem/guide/mocked-test-branch/index.html", + "siem": Object { + "gettingStarted": "https://www.elastic.co/guide/en/siem/guide/mocked-test-branch/install-siem.html", + "guide": "https://www.elastic.co/guide/en/siem/guide/mocked-test-branch/index.html", + }, "winlogbeat": Object { "base": "https://www.elastic.co/guide/en/beats/winlogbeat/mocked-test-branch", }, @@ -1523,7 +1529,10 @@ exports[`QueryStringInput Should pass the query language to the language switche "scriptAggs": "https://www.elastic.co/guide/en/elasticsearch/reference/mocked-test-branch/search-aggregations.html#_values_source", "scriptFields": "https://www.elastic.co/guide/en/elasticsearch/reference/mocked-test-branch/search-request-script-fields.html", }, - "siem": "https://www.elastic.co/guide/en/siem/guide/mocked-test-branch/index.html", + "siem": Object { + "gettingStarted": "https://www.elastic.co/guide/en/siem/guide/mocked-test-branch/install-siem.html", + "guide": "https://www.elastic.co/guide/en/siem/guide/mocked-test-branch/index.html", + }, "winlogbeat": Object { "base": "https://www.elastic.co/guide/en/beats/winlogbeat/mocked-test-branch", }, @@ -2143,7 +2152,10 @@ exports[`QueryStringInput Should pass the query language to the language switche "scriptAggs": "https://www.elastic.co/guide/en/elasticsearch/reference/mocked-test-branch/search-aggregations.html#_values_source", "scriptFields": "https://www.elastic.co/guide/en/elasticsearch/reference/mocked-test-branch/search-request-script-fields.html", }, - "siem": "https://www.elastic.co/guide/en/siem/guide/mocked-test-branch/index.html", + "siem": Object { + "gettingStarted": "https://www.elastic.co/guide/en/siem/guide/mocked-test-branch/install-siem.html", + "guide": "https://www.elastic.co/guide/en/siem/guide/mocked-test-branch/index.html", + }, "winlogbeat": Object { "base": "https://www.elastic.co/guide/en/beats/winlogbeat/mocked-test-branch", }, @@ -2748,7 +2760,10 @@ exports[`QueryStringInput Should render the given query 1`] = ` "scriptAggs": "https://www.elastic.co/guide/en/elasticsearch/reference/mocked-test-branch/search-aggregations.html#_values_source", "scriptFields": "https://www.elastic.co/guide/en/elasticsearch/reference/mocked-test-branch/search-request-script-fields.html", }, - "siem": "https://www.elastic.co/guide/en/siem/guide/mocked-test-branch/index.html", + "siem": Object { + "gettingStarted": "https://www.elastic.co/guide/en/siem/guide/mocked-test-branch/install-siem.html", + "guide": "https://www.elastic.co/guide/en/siem/guide/mocked-test-branch/index.html", + }, "winlogbeat": Object { "base": "https://www.elastic.co/guide/en/beats/winlogbeat/mocked-test-branch", }, @@ -3368,7 +3383,10 @@ exports[`QueryStringInput Should render the given query 1`] = ` "scriptAggs": "https://www.elastic.co/guide/en/elasticsearch/reference/mocked-test-branch/search-aggregations.html#_values_source", "scriptFields": "https://www.elastic.co/guide/en/elasticsearch/reference/mocked-test-branch/search-request-script-fields.html", }, - "siem": "https://www.elastic.co/guide/en/siem/guide/mocked-test-branch/index.html", + "siem": Object { + "gettingStarted": "https://www.elastic.co/guide/en/siem/guide/mocked-test-branch/install-siem.html", + "guide": "https://www.elastic.co/guide/en/siem/guide/mocked-test-branch/index.html", + }, "winlogbeat": Object { "base": "https://www.elastic.co/guide/en/beats/winlogbeat/mocked-test-branch", }, diff --git a/x-pack/legacy/plugins/siem/common/constants.ts b/x-pack/legacy/plugins/siem/common/constants.ts index e79c9db4a2ed09..e67b533e46bce1 100644 --- a/x-pack/legacy/plugins/siem/common/constants.ts +++ b/x-pack/legacy/plugins/siem/common/constants.ts @@ -29,6 +29,15 @@ export const DEFAULT_INTERVAL_TYPE = 'manual'; export const DEFAULT_INTERVAL_VALUE = 300000; // ms export const DEFAULT_TIMEPICKER_QUICK_RANGES = 'timepicker:quickRanges'; +/** This Kibana Advanced Setting enables the `Security news` feed widget */ +export const ENABLE_NEWS_FEED_SETTING = 'siem:enableNewsFeed'; + +/** This Kibana Advanced Setting specifies the URL of the News feed widget */ +export const NEWS_FEED_URL_SETTING = 'siem:newsFeedUrl'; + +/** The default value for News feed widget */ +export const NEWS_FEED_URL_SETTING_DEFAULT = 'https://feeds.elastic.co/kibana'; // TODO: replace this with the real feed URL + /** * Id for the signals alerting type */ diff --git a/x-pack/legacy/plugins/siem/cypress/integration/lib/overview/selectors.ts b/x-pack/legacy/plugins/siem/cypress/integration/lib/overview/selectors.ts index cf48ba716830d6..a8af321ff9832d 100644 --- a/x-pack/legacy/plugins/siem/cypress/integration/lib/overview/selectors.ts +++ b/x-pack/legacy/plugins/siem/cypress/integration/lib/overview/selectors.ts @@ -133,3 +133,7 @@ export const NETWORK_STATS = [ STAT_FLOW, STAT_TLS, ]; + +export const OVERVIEW_HOST_STATS = '[data-test-subj="overview-hosts-stats"]'; + +export const OVERVIEW_NETWORK_STATS = '[data-test-subj="overview-network-stats"]'; diff --git a/x-pack/legacy/plugins/siem/cypress/integration/smoke_tests/overview/overview.spec.ts b/x-pack/legacy/plugins/siem/cypress/integration/smoke_tests/overview/overview.spec.ts index 4ef3eb67cafc9c..be66fdc86be36d 100644 --- a/x-pack/legacy/plugins/siem/cypress/integration/smoke_tests/overview/overview.spec.ts +++ b/x-pack/legacy/plugins/siem/cypress/integration/smoke_tests/overview/overview.spec.ts @@ -6,7 +6,13 @@ import { OVERVIEW_PAGE } from '../../lib/urls'; import { clearFetch, stubApi } from '../../lib/fixtures/helpers'; -import { HOST_STATS, NETWORK_STATS, STAT_AUDITD } from '../../lib/overview/selectors'; +import { + HOST_STATS, + NETWORK_STATS, + OVERVIEW_HOST_STATS, + OVERVIEW_NETWORK_STATS, + STAT_AUDITD, +} from '../../lib/overview/selectors'; import { loginAndWaitForPage } from '../../lib/util/helpers'; describe('Overview Page', () => { @@ -17,6 +23,14 @@ describe('Overview Page', () => { }); it('Host and Network stats render with correct values', () => { + cy.get(OVERVIEW_HOST_STATS) + .find('button') + .invoke('click'); + + cy.get(OVERVIEW_NETWORK_STATS) + .find('button') + .invoke('click'); + cy.get(STAT_AUDITD.domId); HOST_STATS.forEach(stat => { diff --git a/x-pack/legacy/plugins/siem/index.ts b/x-pack/legacy/plugins/siem/index.ts index 1907dbac707e3b..edbb62feb580f8 100644 --- a/x-pack/legacy/plugins/siem/index.ts +++ b/x-pack/legacy/plugins/siem/index.ts @@ -25,6 +25,9 @@ import { DEFAULT_FROM, DEFAULT_TO, DEFAULT_SIGNALS_INDEX, + ENABLE_NEWS_FEED_SETTING, + NEWS_FEED_URL_SETTING, + NEWS_FEED_URL_SETTING_DEFAULT, SIGNALS_INDEX_KEY, } from './common/constants'; import { defaultIndexPattern } from './default_index_pattern'; @@ -118,6 +121,29 @@ export const siem = (kibana: any) => { category: ['siem'], requiresPageReload: true, }, + [ENABLE_NEWS_FEED_SETTING]: { + name: i18n.translate('xpack.siem.uiSettings.enableNewsFeedLabel', { + defaultMessage: 'News feed', + }), + value: true, + description: i18n.translate('xpack.siem.uiSettings.enableNewsFeedDescription', { + defaultMessage: '

Enables the News feed

', + }), + type: 'boolean', + category: ['siem'], + requiresPageReload: true, + }, + [NEWS_FEED_URL_SETTING]: { + name: i18n.translate('xpack.siem.uiSettings.newsFeedUrl', { + defaultMessage: 'News feed URL', + }), + value: NEWS_FEED_URL_SETTING_DEFAULT, + description: i18n.translate('xpack.siem.uiSettings.newsFeedUrlDescription', { + defaultMessage: '

News feed content will be retrieved from this URL

', + }), + category: ['siem'], + requiresPageReload: true, + }, }, mappings: savedObjectMappings, }, diff --git a/x-pack/legacy/plugins/siem/public/components/alerts_viewer/index.tsx b/x-pack/legacy/plugins/siem/public/components/alerts_viewer/index.tsx index 9e0207cf306ee6..87d83f7f2972c1 100644 --- a/x-pack/legacy/plugins/siem/public/components/alerts_viewer/index.tsx +++ b/x-pack/legacy/plugins/siem/public/components/alerts_viewer/index.tsx @@ -14,9 +14,13 @@ import { MatrixHistogramOption } from '../matrix_histogram/types'; import { MatrixHistogramContainer } from '../../containers/matrix_histogram'; import { MatrixHistogramGqlQuery } from '../../containers/matrix_histogram/index.gql_query'; const ID = 'alertsOverTimeQuery'; -const alertsStackByOptions: MatrixHistogramOption[] = [ +export const alertsStackByOptions: MatrixHistogramOption[] = [ { - text: i18n.ALERTS_STACK_BY_MODULE, + text: i18n.CATEGORY, + value: 'event.category', + }, + { + text: i18n.MODULE, value: 'event.module', }, ]; @@ -51,7 +55,7 @@ export const AlertsView = ({ } + iconType="securityAnalyticsApp" title={

My Super Title diff --git a/x-pack/legacy/plugins/siem/public/components/empty_page/index.tsx b/x-pack/legacy/plugins/siem/public/components/empty_page/index.tsx index f2b0ec1ab5e608..a067c1d28f87fa 100644 --- a/x-pack/legacy/plugins/siem/public/components/empty_page/index.tsx +++ b/x-pack/legacy/plugins/siem/public/components/empty_page/index.tsx @@ -43,6 +43,7 @@ export const EmptyPage = React.memo( ...rest }) => ( {title}

} body={message &&

{message}

} actions={ diff --git a/x-pack/legacy/plugins/siem/public/components/events_viewer/translations.ts b/x-pack/legacy/plugins/siem/public/components/events_viewer/translations.ts index 6e6be02a6085d2..376ddf72ce481e 100644 --- a/x-pack/legacy/plugins/siem/public/components/events_viewer/translations.ts +++ b/x-pack/legacy/plugins/siem/public/components/events_viewer/translations.ts @@ -10,6 +10,13 @@ export const SHOWING = i18n.translate('xpack.siem.eventsViewer.showingLabel', { defaultMessage: 'Showing', }); +export const ERROR_FETCHING_EVENTS_DATA = i18n.translate( + 'xpack.siem.eventsViewer.errorFetchingEventsData', + { + defaultMessage: 'Failed to query events data', + } +); + export const EVENTS = i18n.translate('xpack.siem.eventsViewer.eventsLabel', { defaultMessage: 'Events', }); diff --git a/x-pack/legacy/plugins/siem/public/components/formatted_date/index.tsx b/x-pack/legacy/plugins/siem/public/components/formatted_date/index.tsx index 4e5903c02abf7a..fb579a14b04575 100644 --- a/x-pack/legacy/plugins/siem/public/components/formatted_date/index.tsx +++ b/x-pack/legacy/plugins/siem/public/components/formatted_date/index.tsx @@ -10,17 +10,60 @@ import { FormattedRelative } from '@kbn/i18n/react'; import { useDateFormat, useTimeZone } from '../../hooks'; import { getOrEmptyTagFromValue } from '../empty_value'; +import { useUiSetting$ } from '../../lib/kibana'; import { LocalizedDateTooltip } from '../localized_date_tooltip'; import { getMaybeDate } from './maybe_date'; -export const PreferenceFormattedDate = React.memo<{ value: Date }>(({ value }) => { - const dateFormat = useDateFormat(); - const timeZone = useTimeZone(); +export const PreferenceFormattedDate = React.memo<{ dateFormat?: string; value: Date }>( + ({ value, dateFormat = useDateFormat() }) => ( + <>{moment.tz(value, useTimeZone()).format(dateFormat)} + ) +); + +PreferenceFormattedDate.displayName = 'PreferenceFormattedDate'; - return <>{moment.tz(value, timeZone).format(dateFormat)}; +/** + * This function may be passed to `Array.find()` to locate the `P1DT` + * configuration (sub) setting, a string array that contains two entries + * like the following example: `['P1DT', 'YYYY-MM-DD']`. + */ +export const isP1DTFormatterSetting = (formatNameFormatterPair?: string[]) => + Array.isArray(formatNameFormatterPair) && + formatNameFormatterPair[0] === 'P1DT' && + formatNameFormatterPair.length === 2; + +/** + * Renders a date in `P1DT` format, e.g. `YYYY-MM-DD`, as specified by + * the `P1DT1` entry in the `dateFormat:scaled` Kibana Advanced setting. + * + * If the `P1DT` format is not specified in the `dateFormat:scaled` setting, + * the fallback format `YYYY-MM-DD` will be applied + */ +export const PreferenceFormattedP1DTDate = React.memo<{ value: Date }>(({ value }) => { + /** + * A fallback "format name / formatter" 2-tuple for the `P1DT` formatter, which is + * one of many such pairs expected to be contained in the `dateFormat:scaled` + * Kibana advanced setting. + */ + const FALLBACK_DATE_FORMAT_SCALED_P1DT = ['P1DT', 'YYYY-MM-DD']; + + // Read the 'dateFormat:scaled' Kibana Advanced setting, which contains 2-tuple sub-settings: + const [scaledDateFormatPreference] = useUiSetting$('dateFormat:scaled'); + + // attempt to find the nested `['P1DT', 'formatString']` setting + const maybeP1DTFormatter = Array.isArray(scaledDateFormatPreference) + ? scaledDateFormatPreference.find(isP1DTFormatterSetting) + : null; + + const p1dtFormat = + Array.isArray(maybeP1DTFormatter) && maybeP1DTFormatter.length === 2 + ? maybeP1DTFormatter[1] + : FALLBACK_DATE_FORMAT_SCALED_P1DT[1]; + + return ; }); -PreferenceFormattedDate.displayName = 'PreferenceFormattedDate'; +PreferenceFormattedP1DTDate.displayName = 'PreferenceFormattedP1DTDate'; /** * Renders the specified date value in a format determined by the user's preferences, diff --git a/x-pack/legacy/plugins/siem/public/components/header_global/__snapshots__/index.test.tsx.snap b/x-pack/legacy/plugins/siem/public/components/header_global/__snapshots__/index.test.tsx.snap index 849f3616524cc5..aaefb4a83ded4f 100644 --- a/x-pack/legacy/plugins/siem/public/components/header_global/__snapshots__/index.test.tsx.snap +++ b/x-pack/legacy/plugins/siem/public/components/header_global/__snapshots__/index.test.tsx.snap @@ -30,48 +30,11 @@ exports[`HeaderGlobal it renders 1`] = ` - + + + diff --git a/x-pack/legacy/plugins/siem/public/components/header_global/index.tsx b/x-pack/legacy/plugins/siem/public/components/header_global/index.tsx index 53365a4daa34a4..db6ff7cf55f920 100644 --- a/x-pack/legacy/plugins/siem/public/components/header_global/index.tsx +++ b/x-pack/legacy/plugins/siem/public/components/header_global/index.tsx @@ -16,6 +16,7 @@ import { getOverviewUrl } from '../link_to'; import { MlPopover } from '../ml_popover/ml_popover'; import { SiemNavigation } from '../navigation'; import * as i18n from './translations'; +import { indicesExistOrDataTemporarilyUnavailable, WithSource } from '../../containers/source'; const Wrapper = styled.header` ${({ theme }) => css` @@ -47,14 +48,25 @@ export const HeaderGlobal = React.memo(({ hideDetectionEngine - key !== SiemPageName.detectionEngine, navTabs) - : navTabs + + {({ indicesExist }) => + indicesExistOrDataTemporarilyUnavailable(indicesExist) ? ( + key !== SiemPageName.detectionEngine, navTabs) + : navTabs + } + /> + ) : ( + key === SiemPageName.overview, navTabs)} + /> + ) } - /> + diff --git a/x-pack/legacy/plugins/siem/public/components/help_menu/index.tsx b/x-pack/legacy/plugins/siem/public/components/help_menu/index.tsx index d42ee08e864079..732d83ac6e7361 100644 --- a/x-pack/legacy/plugins/siem/public/components/help_menu/index.tsx +++ b/x-pack/legacy/plugins/siem/public/components/help_menu/index.tsx @@ -7,6 +7,7 @@ import React, { useEffect } from 'react'; import chrome from 'ui/chrome'; import { i18n } from '@kbn/i18n'; +import { documentationLinks } from 'ui/documentation_links'; export const HelpMenu = React.memo(() => { useEffect(() => { @@ -15,6 +16,14 @@ export const HelpMenu = React.memo(() => { defaultMessage: 'SIEM', }), links: [ + { + content: i18n.translate('xpack.siem.chrome.helpMenu.documentation', { + defaultMessage: 'SIEM documentation', + }), + href: documentationLinks.siem.guide, + iconType: 'documents', + linkType: 'custom', + }, { linkType: 'discuss', href: 'https://discuss.elastic.co/c/siem', diff --git a/x-pack/legacy/plugins/siem/public/components/link_to/index.ts b/x-pack/legacy/plugins/siem/public/components/link_to/index.ts index 10198345755c37..ad6147e5aad769 100644 --- a/x-pack/legacy/plugins/siem/public/components/link_to/index.ts +++ b/x-pack/legacy/plugins/siem/public/components/link_to/index.ts @@ -10,6 +10,6 @@ export { RedirectToDetectionEnginePage, } from './redirect_to_detection_engine'; export { getOverviewUrl, RedirectToOverviewPage } from './redirect_to_overview'; -export { getHostsUrl, getHostDetailsUrl } from './redirect_to_hosts'; +export { getHostDetailsUrl, getHostsUrl } from './redirect_to_hosts'; export { getNetworkUrl, getIPDetailsUrl, RedirectToNetworkPage } from './redirect_to_network'; export { getTimelinesUrl, RedirectToTimelinesPage } from './redirect_to_timelines'; diff --git a/x-pack/legacy/plugins/siem/public/components/link_to/link_to.tsx b/x-pack/legacy/plugins/siem/public/components/link_to/link_to.tsx index 5a7f6ef1274c91..b19ed8e44be9da 100644 --- a/x-pack/legacy/plugins/siem/public/components/link_to/link_to.tsx +++ b/x-pack/legacy/plugins/siem/public/components/link_to/link_to.tsx @@ -38,11 +38,11 @@ export const LinkToPage = React.memo(({ match }) => ( /> { const barchartConfigs = getBarchartConfigs({ from: startDate, + legendPosition, to: endDate, onBrushEnd: updateDateRange, scaleType, yTickFormatter, showLegend, - legendPosition, }); const [showInspect, setShowInspect] = useState(false); const [darkMode] = useUiSetting$(DEFAULT_DARK_MODE); @@ -90,6 +91,8 @@ export const MatrixHistogramComponent: React.FC( defaultStackByOption ); + + const [titleWithStackByField, setTitle] = useState(''); const [subtitleWithCounts, setSubtitle] = useState(''); const [hideHistogram, setHideHistogram] = useState(hideHistogramIfEmpty); const [barChartData, setBarChartData] = useState(null); @@ -130,6 +133,8 @@ export const MatrixHistogramComponent: React.FC { + if (title != null) setTitle(typeof title === 'function' ? title(selectedStackByOption) : title); + if (subtitle != null) setSubtitle(typeof subtitle === 'function' ? subtitle(totalCount) : subtitle); @@ -169,17 +174,22 @@ export const MatrixHistogramComponent: React.FC = 0 ? subtitleWithCounts : null)} > - {stackByOptions && ( - - )} + + + {stackByOptions && ( + + )} + + {headerChildren} + {loading ? ( diff --git a/x-pack/legacy/plugins/siem/public/components/matrix_histogram/types.ts b/x-pack/legacy/plugins/siem/public/components/matrix_histogram/types.ts index 39a16b6c1b3d1b..f10533460a776f 100644 --- a/x-pack/legacy/plugins/siem/public/components/matrix_histogram/types.ts +++ b/x-pack/legacy/plugins/siem/public/components/matrix_histogram/types.ts @@ -28,12 +28,16 @@ export interface MatrixHistogramOption { } export type GetSubTitle = (count: number) => string; +export type GetTitle = (matrixHistogramOption: MatrixHistogramOption) => string; + export interface MatrixHistogramBasicProps { defaultIndex: string[]; defaultStackByOption: MatrixHistogramOption; endDate: number; + headerChildren?: React.ReactNode; hideHistogramIfEmpty?: boolean; id: string; + legendPosition?: Position; mapping?: MatrixHistogramMappingTypes; setQuery: SetQuery; sourceId: string; @@ -56,7 +60,7 @@ export interface MatrixHistogramQueryProps { stackByField: string; skip: boolean; startDate: number; - title: string; + title: string | GetTitle; isAlertsHistogram?: boolean; isAnomaliesHistogram?: boolean; isAuthenticationsHistogram?: boolean; diff --git a/x-pack/legacy/plugins/siem/public/components/matrix_histogram/utils.ts b/x-pack/legacy/plugins/siem/public/components/matrix_histogram/utils.ts index 5d79bbc0ceb238..c20b5ee30d919a 100644 --- a/x-pack/legacy/plugins/siem/public/components/matrix_histogram/utils.ts +++ b/x-pack/legacy/plugins/siem/public/components/matrix_histogram/utils.ts @@ -11,20 +11,20 @@ import { MatrixHistogramDataTypes, MatrixHistogramMappingTypes } from './types'; export const getBarchartConfigs = ({ from, + legendPosition, to, scaleType, onBrushEnd, yTickFormatter, showLegend, - legendPosition, }: { from: number; + legendPosition?: Position; to: number; scaleType: ScaleType; onBrushEnd: UpdateDateRange; yTickFormatter?: (value: number) => string; showLegend?: boolean; - legendPosition?: Position; }) => ({ series: { xScaleType: scaleType || ScaleType.Time, @@ -40,7 +40,7 @@ export const getBarchartConfigs = ({ tickSize: 8, }, settings: { - legendPosition: legendPosition || Position.Bottom, + legendPosition: legendPosition ?? Position.Bottom, onBrushEnd, showLegend: showLegend || true, theme: { diff --git a/x-pack/legacy/plugins/siem/public/components/news_feed/helpers.ts b/x-pack/legacy/plugins/siem/public/components/news_feed/helpers.ts new file mode 100644 index 00000000000000..497127cdfba3d2 --- /dev/null +++ b/x-pack/legacy/plugins/siem/public/components/news_feed/helpers.ts @@ -0,0 +1,89 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { get } from 'lodash/fp'; +import moment from 'moment'; +import uuid from 'uuid'; + +import { NewsItem, RawNewsApiItem, RawNewsApiResponse } from './types'; +import { throwIfNotOk } from '../../hooks/api/api'; + +/** + * Combines the URL specified with the `newsFeedUrlSetting` with the Kibana + * version returned from `getKibanaVersion` to form a complete path to the + * news (specific to the current version of Kibana) + */ +export const getNewsFeedUrl = ({ + newsFeedUrlSetting, + getKibanaVersion, +}: { + newsFeedUrlSetting: string; + getKibanaVersion: () => string; +}) => [newsFeedUrlSetting, `v${getKibanaVersion()}.json`].join('/'); + +export const NEWS_FEED_FALLBACK_LANGUAGE = 'en'; + +/** + * Returns the current locale of the browser as specified in the `document`, + * or the value of `fallback` if the locale could not be retrieved + */ +export const getLocale = (fallback: string): string => + document.documentElement.lang?.toLowerCase() ?? fallback; // use the `lang` attribute of the `html` tag + +const NO_NEWS_ITEMS: NewsItem[] = []; + +/** + * Transforms a `RawNewsApiResponse` from the news feed API to a collection of + * `NewsItem`s + */ +export const getNewsItemsFromApiResponse = (response?: RawNewsApiResponse): NewsItem[] => { + const locale = getLocale(NEWS_FEED_FALLBACK_LANGUAGE); + + if (response == null || response.items == null) { + return NO_NEWS_ITEMS; + } + + return response.items + .filter((x: RawNewsApiItem | null) => x != null) + .map(x => ({ + description: + get(locale, x.description) ?? get(NEWS_FEED_FALLBACK_LANGUAGE, x.description) ?? '', + expireOn: new Date(x.expire_on ?? ''), + hash: x.hash ?? uuid.v4(), + imageUrl: x.image_url ?? null, + linkUrl: get(locale, x.link_url) ?? get(NEWS_FEED_FALLBACK_LANGUAGE, x.link_url) ?? '', + publishOn: new Date(x.publish_on ?? ''), + title: get(locale, x.title) ?? get(NEWS_FEED_FALLBACK_LANGUAGE, x.title) ?? '', + })); +}; + +/** + * Fetches `RawNewsApiResponse` from the specified `newsFeedUrl`, via a + * cross-origin (CORS) request. This function throws an error if the request + * fails + */ +export const fetchNews = async ({ + newsFeedUrl, +}: { + newsFeedUrl: string; +}): Promise => { + const response = await fetch(newsFeedUrl, { + credentials: 'omit', + method: 'GET', + mode: 'cors', + }); + + await throwIfNotOk(response); + + return response.json(); +}; + +/** + * Returns false if `now` is before the `NewsItem` `publishOn` date, or + * after the `expireOn` date + */ +export const showNewsItem = ({ publishOn, expireOn }: NewsItem): boolean => + !moment().isBefore(publishOn) && !moment().isAfter(expireOn); diff --git a/x-pack/legacy/plugins/siem/public/components/news_feed/index.tsx b/x-pack/legacy/plugins/siem/public/components/news_feed/index.tsx new file mode 100644 index 00000000000000..95f12758d5e635 --- /dev/null +++ b/x-pack/legacy/plugins/siem/public/components/news_feed/index.tsx @@ -0,0 +1,57 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import React, { useEffect, useState } from 'react'; +import chrome from 'ui/chrome'; + +import { fetchNews, getNewsFeedUrl, getNewsItemsFromApiResponse } from './helpers'; +import { useUiSetting$ } from '../../lib/kibana'; +import { NewsFeed } from './news_feed'; +import { NewsItem } from './types'; + +export const StatefulNewsFeed = React.memo<{ + enableNewsFeedSetting: string; + newsFeedSetting: string; +}>(({ enableNewsFeedSetting, newsFeedSetting }) => { + const [enableNewsFeed] = useUiSetting$(enableNewsFeedSetting); + const [newsFeedUrlSetting] = useUiSetting$(newsFeedSetting); + const [news, setNews] = useState(null); + + const newsFeedUrl = getNewsFeedUrl({ + newsFeedUrlSetting, + getKibanaVersion: chrome.getKibanaVersion, + }); + + useEffect(() => { + let canceled = false; + + const fetchData = async () => { + try { + const apiResponse = await fetchNews({ newsFeedUrl }); + + if (!canceled) { + setNews(getNewsItemsFromApiResponse(apiResponse)); + } + } catch { + if (!canceled) { + setNews([]); + } + } + }; + + if (enableNewsFeed) { + fetchData(); + } + + return () => { + canceled = true; + }; + }, [enableNewsFeed, newsFeedUrl]); + + return <>{enableNewsFeed ? : null}; +}); + +StatefulNewsFeed.displayName = 'StatefulNewsFeed'; diff --git a/x-pack/legacy/plugins/siem/public/components/news_feed/news_feed.tsx b/x-pack/legacy/plugins/siem/public/components/news_feed/news_feed.tsx new file mode 100644 index 00000000000000..d41ce357d9b7b4 --- /dev/null +++ b/x-pack/legacy/plugins/siem/public/components/news_feed/news_feed.tsx @@ -0,0 +1,42 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { EuiLoadingSpinner, EuiSpacer } from '@elastic/eui'; +import React from 'react'; + +import { NoNews } from './no_news'; +import { NEWS_FEED_TITLE } from '../../pages/overview/translations'; +import { Post } from './post'; +import { SidebarHeader } from '../sidebar_header'; +import { NewsItem } from './types'; + +interface Props { + news: NewsItem[] | null | undefined; +} + +export const NewsFeed = React.memo(({ news }) => { + if (news == null) { + return ; + } + + if (news.length === 0) { + return ; + } + + return ( + <> + + {news.map((n: NewsItem) => ( + + + + + ))} + + ); +}); + +NewsFeed.displayName = 'NewsFeed'; diff --git a/x-pack/legacy/plugins/siem/public/components/news_feed/news_link/index.tsx b/x-pack/legacy/plugins/siem/public/components/news_feed/news_link/index.tsx new file mode 100644 index 00000000000000..b50ed578fb0bc3 --- /dev/null +++ b/x-pack/legacy/plugins/siem/public/components/news_feed/news_link/index.tsx @@ -0,0 +1,24 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { EuiLink } from '@elastic/eui'; +import React from 'react'; + +/** prevents links to the new pages from accessing `window.opener` */ +const REL_NOOPENER = 'noopener'; + +/** prevents search engine manipulation by noting the linked document is not trusted or endorsed by us */ +const REL_NOFOLLOW = 'nofollow'; + +/** prevents the browser from sending the current address as referrer via the Referer HTTP header */ +const REL_NOREFERRER = 'noreferrer'; + +/** A hyperlink to a (presumed to be external) news site */ +export const NewsLink = ({ href, children }: { href: string; children: React.ReactNode }) => ( + + {children} + +); diff --git a/x-pack/legacy/plugins/siem/public/components/news_feed/no_news/index.tsx b/x-pack/legacy/plugins/siem/public/components/news_feed/no_news/index.tsx new file mode 100644 index 00000000000000..bd6648025d2aa2 --- /dev/null +++ b/x-pack/legacy/plugins/siem/public/components/news_feed/no_news/index.tsx @@ -0,0 +1,24 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { EuiLink, EuiText } from '@elastic/eui'; +import React from 'react'; + +import * as i18n from '../translations'; + +export const NoNews = React.memo(() => ( + <> + + {i18n.NO_NEWS_MESSAGE} + + {i18n.ADVANCED_SETTINGS_LINK_TITLE} + + {'.'} + + +)); + +NoNews.displayName = 'NoNews'; diff --git a/x-pack/legacy/plugins/siem/public/components/news_feed/post/index.tsx b/x-pack/legacy/plugins/siem/public/components/news_feed/post/index.tsx new file mode 100644 index 00000000000000..cb2542a497f088 --- /dev/null +++ b/x-pack/legacy/plugins/siem/public/components/news_feed/post/index.tsx @@ -0,0 +1,62 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { EuiFlexGroup, EuiFlexItem, EuiSpacer, EuiText } from '@elastic/eui'; +import React from 'react'; +import styled from 'styled-components'; + +import { PreferenceFormattedP1DTDate } from '../../formatted_date'; +import { showNewsItem } from '../helpers'; +import { NewsLink } from '../news_link'; +import { NewsItem } from '../types'; + +const NewsItemPreviewImage = styled.img` + height: 56px; + margin-left: 16px; + min-width: 56px; + padding: 4px; + width: 56px; +`; + +export const Post = React.memo<{ newsItem: NewsItem }>(({ newsItem }) => { + const { linkUrl, title, publishOn, description, imageUrl } = newsItem; + + if (!showNewsItem(newsItem)) { + return null; + } + + return ( + + + + {title} + + + + + +
{description}
+ + + + + {imageUrl && ( + + + + )} + + + ); +}); + +Post.displayName = 'Post'; diff --git a/x-pack/legacy/plugins/siem/public/components/news_feed/translations.ts b/x-pack/legacy/plugins/siem/public/components/news_feed/translations.ts new file mode 100644 index 00000000000000..71981723cc9379 --- /dev/null +++ b/x-pack/legacy/plugins/siem/public/components/news_feed/translations.ts @@ -0,0 +1,19 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { i18n } from '@kbn/i18n'; + +export const NO_NEWS_MESSAGE = i18n.translate('xpack.siem.newsFeed.noNewsMessage', { + defaultMessage: + 'Your current News feed URL returned no recent news. You may update the URL or disable security news via', +}); + +export const ADVANCED_SETTINGS_LINK_TITLE = i18n.translate( + 'xpack.siem.newsFeed.advancedSettingsLinkTitle', + { + defaultMessage: 'SIEM advanced settings', + } +); diff --git a/x-pack/legacy/plugins/siem/public/components/news_feed/types.ts b/x-pack/legacy/plugins/siem/public/components/news_feed/types.ts new file mode 100644 index 00000000000000..2ee5a4c3c02aab --- /dev/null +++ b/x-pack/legacy/plugins/siem/public/components/news_feed/types.ts @@ -0,0 +1,42 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +/** + * For rendering, `RawNewsApiItem`s are transformed to this + * representation of a news item + */ +export interface NewsItem { + description: string; + expireOn: Date; + hash: string; + imageUrl: string | null; + linkUrl: string; + publishOn: Date; + title: string; +} + +/** + * The raw (wire format) representation of a News API item + */ +export interface RawNewsApiItem { + badge?: { [lang: string]: string | null } | null; + description?: { [lang: string]: string | null } | null; + expire_on?: Date | null; + hash?: string | null; + image_url?: string | null; + languages?: string[] | null; + link_text?: { [lang: string]: string | null } | null; + link_url?: { [lang: string]: string | null } | null; + publish_on?: Date | null; + title?: { [lang: string]: string } | null; +} + +/** + * Defines the shape of a raw response from the News API + */ +export interface RawNewsApiResponse { + items?: RawNewsApiItem[]; +} diff --git a/x-pack/legacy/plugins/siem/public/components/page/manage_query.tsx b/x-pack/legacy/plugins/siem/public/components/page/manage_query.tsx index 3274bc485d6cde..138c38c02065bd 100644 --- a/x-pack/legacy/plugins/siem/public/components/page/manage_query.tsx +++ b/x-pack/legacy/plugins/siem/public/components/page/manage_query.tsx @@ -4,6 +4,7 @@ * you may not use this file except in compliance with the Elastic License. */ +import { Position } from '@elastic/charts'; import { omit } from 'lodash/fp'; import React from 'react'; @@ -12,7 +13,9 @@ import { SetQuery } from '../../pages/hosts/navigation/types'; interface OwnProps { deleteQuery?: ({ id }: { id: string }) => void; + headerChildren?: React.ReactNode; id: string; + legendPosition?: Position; loading: boolean; refetch: inputsModel.Refetch; setQuery: SetQuery; diff --git a/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host/index.tsx b/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host/index.tsx index a70d9d00802718..e069e64c66a926 100644 --- a/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host/index.tsx +++ b/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host/index.tsx @@ -5,23 +5,28 @@ */ import { EuiButton, EuiFlexItem, EuiPanel } from '@elastic/eui'; +import numeral from '@elastic/numeral'; import { FormattedMessage } from '@kbn/i18n/react'; import React from 'react'; -import { HeaderSection } from '../../../header_section'; -import { manageQuery } from '../../../page/manage_query'; +import { DEFAULT_NUMBER_FORMAT } from '../../../../../common/constants'; +import { ESQuery } from '../../../../../common/typed_json'; import { ID as OverviewHostQueryId, OverviewHostQuery, } from '../../../../containers/overview/overview_host'; -import { inputsModel } from '../../../../store/inputs'; -import { OverviewHostStats } from '../overview_host_stats'; +import { HeaderSection } from '../../../header_section'; +import { useUiSetting$ } from '../../../../lib/kibana'; import { getHostsUrl } from '../../../link_to'; +import { getOverviewHostStats, OverviewHostStats } from '../overview_host_stats'; +import { manageQuery } from '../../../page/manage_query'; +import { inputsModel } from '../../../../store/inputs'; import { InspectButtonContainer } from '../../../inspect'; export interface OwnProps { startDate: number; endDate: number; + filterQuery?: ESQuery | string; setQuery: ({ id, inspect, @@ -37,44 +42,76 @@ export interface OwnProps { const OverviewHostStatsManage = manageQuery(OverviewHostStats); type OverviewHostProps = OwnProps; +export const OverviewHost = React.memo( + ({ endDate, filterQuery, startDate, setQuery }) => { + const [defaultNumberFormat] = useUiSetting$(DEFAULT_NUMBER_FORMAT); + + return ( + + + + + {({ overviewHost, loading, id, inspect, refetch }) => { + const hostEventsCount = getOverviewHostStats(overviewHost).reduce( + (total, stat) => total + stat.count, + 0 + ); + const formattedHostEventsCount = numeral(hostEventsCount).format( + defaultNumberFormat + ); -const OverviewHostComponent: React.FC = ({ endDate, startDate, setQuery }) => ( - - - - - } - title={ - - } - > - - - - + return ( + <> + + } + title={ + + } + > + + + + - - {({ overviewHost, loading, id, inspect, refetch }) => ( - - )} - - - - + + + ); + }} + + + + + ); + } ); -export const OverviewHost = React.memo(OverviewHostComponent); +OverviewHost.displayName = 'OverviewHost'; diff --git a/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host_stats/__snapshots__/index.test.tsx.snap b/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host_stats/__snapshots__/index.test.tsx.snap index 142a9a03b78443..21a4568e241335 100644 --- a/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host_stats/__snapshots__/index.test.tsx.snap +++ b/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host_stats/__snapshots__/index.test.tsx.snap @@ -1,233 +1,637 @@ // Jest Snapshot v1, https://goo.gl/fbAQLP exports[`Overview Host Stat Data rendering it renders the default OverviewHostStats 1`] = ` - - - - - + + + + + + + + + + } + buttonContentClassName="accordion-button" + id="host-stat-accordion-groupauditbeat" + initialIsOpen={false} + paddingSize="none" > - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + } + buttonContentClassName="accordion-button" + id="host-stat-accordion-groupendgame" + initialIsOpen={false} + paddingSize="none" > - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + } + buttonContentClassName="accordion-button" + id="host-stat-accordion-groupfilebeat" + initialIsOpen={false} + paddingSize="none" > - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + } + buttonContentClassName="accordion-button" + id="host-stat-accordion-groupwinlogbeat" + initialIsOpen={false} + paddingSize="none" > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + `; diff --git a/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host_stats/index.test.tsx b/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host_stats/index.test.tsx index f99b2687d70728..4240ea441284cf 100644 --- a/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host_stats/index.test.tsx +++ b/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host_stats/index.test.tsx @@ -4,11 +4,12 @@ * you may not use this file except in compliance with the Elastic License. */ -import { shallow } from 'enzyme'; +import { mount, shallow } from 'enzyme'; import React from 'react'; import { OverviewHostStats } from '.'; import { mockData } from './mock'; +import { TestProviders } from '../../../../mock/test_providers'; describe('Overview Host Stat Data', () => { describe('rendering', () => { @@ -18,23 +19,51 @@ describe('Overview Host Stat Data', () => { }); }); describe('loading', () => { - test('it does not show loading indicator when not loading', () => { - const wrapper = shallow(); - const loadingWrapper = wrapper - .dive() - .find('[data-test-subj="host-stat-auditbeatAuditd"]') + test('it does NOT show loading indicator when loading is false', () => { + const wrapper = mount( + + + + ); + + // click the accordion to expand it + wrapper + .find('button') .first() - .childAt(0); - expect(loadingWrapper.prop('isLoading')).toBe(false); + .simulate('click'); + wrapper.update(); + + expect( + wrapper + .find('[data-test-subj="host-stat-auditbeatAuditd"]') + .first() + .find('[data-test-subj="stat-value-loading-spinner"]') + .first() + .exists() + ).toBe(false); }); - test('it does show loading indicator when loading', () => { - const wrapper = shallow(); - const loadingWrapper = wrapper - .dive() - .find('[data-test-subj="host-stat-auditbeatAuditd"]') + test('it shows loading indicator when loading is true', () => { + const wrapper = mount( + + + + ); + + // click the accordion to expand it + wrapper + .find('button') .first() - .childAt(0); - expect(loadingWrapper.prop('isLoading')).toBe(true); + .simulate('click'); + wrapper.update(); + + expect( + wrapper + .find('[data-test-subj="host-stat-auditbeatAuditd"]') + .first() + .find('[data-test-subj="stat-value-loading-spinner"]') + .first() + .exists() + ).toBe(true); }); }); }); diff --git a/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host_stats/index.tsx b/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host_stats/index.tsx index aa2c6d61451bc6..4134cc5ef4e4e3 100644 --- a/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host_stats/index.tsx +++ b/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host_stats/index.tsx @@ -4,209 +4,120 @@ * you may not use this file except in compliance with the Elastic License. */ -import { - EuiDescriptionList, - EuiDescriptionListDescription, - EuiDescriptionListTitle, - EuiLoadingSpinner, -} from '@elastic/eui'; -import numeral from '@elastic/numeral'; +import { EuiAccordion, EuiFlexGroup, EuiFlexItem, EuiHorizontalRule, EuiText } from '@elastic/eui'; import { FormattedMessage } from '@kbn/i18n/react'; -import { has } from 'lodash/fp'; -import React from 'react'; +import React, { useMemo } from 'react'; import styled from 'styled-components'; import { OverviewHostData } from '../../../../graphql/types'; -import { getEmptyTagValue } from '../../../empty_value'; +import { FormattedStat, StatGroup } from '../types'; +import { StatValue } from '../stat_value'; interface OverviewHostProps { data: OverviewHostData; loading: boolean; } -// eslint-disable-next-line complexity -const overviewHostStats = (data: OverviewHostData) => [ +export const getOverviewHostStats = (data: OverviewHostData): FormattedStat[] => [ { - description: - has('auditbeatAuditd', data) && data.auditbeatAuditd !== null - ? numeral(data.auditbeatAuditd).format('0,0') - : getEmptyTagValue(), - title: ( - - ), + count: data.auditbeatAuditd ?? 0, + title: , id: 'auditbeatAuditd', }, { - description: - has('auditbeatFIM', data) && data.auditbeatFIM !== null - ? numeral(data.auditbeatFIM).format('0,0') - : getEmptyTagValue(), + count: data.auditbeatFIM ?? 0, title: ( ), id: 'auditbeatFIM', }, { - description: - has('auditbeatLogin', data) && data.auditbeatLogin !== null - ? numeral(data.auditbeatLogin).format('0,0') - : getEmptyTagValue(), - title: ( - - ), + count: data.auditbeatLogin ?? 0, + title: , id: 'auditbeatLogin', }, { - description: - has('auditbeatPackage', data) && data.auditbeatPackage !== null - ? numeral(data.auditbeatPackage).format('0,0') - : getEmptyTagValue(), + count: data.auditbeatPackage ?? 0, title: ( - + ), id: 'auditbeatPackage', }, { - description: - has('auditbeatProcess', data) && data.auditbeatProcess !== null - ? numeral(data.auditbeatProcess).format('0,0') - : getEmptyTagValue(), + count: data.auditbeatProcess ?? 0, title: ( - + ), id: 'auditbeatProcess', }, { - description: - has('auditbeatUser', data) && data.auditbeatUser !== null - ? numeral(data.auditbeatUser).format('0,0') - : getEmptyTagValue(), - title: ( - - ), + count: data.auditbeatUser ?? 0, + title: , id: 'auditbeatUser', }, { - description: - has('endgameDns', data) && data.endgameDns !== null - ? numeral(data.endgameDns).format('0,0') - : getEmptyTagValue(), - title: ( - - ), + count: data.endgameDns ?? 0, + title: , id: 'endgameDns', }, { - description: - has('endgameFile', data) && data.endgameFile !== null - ? numeral(data.endgameFile).format('0,0') - : getEmptyTagValue(), - title: ( - - ), + count: data.endgameFile ?? 0, + title: , id: 'endgameFile', }, { - description: - has('endgameImageLoad', data) && data.endgameImageLoad !== null - ? numeral(data.endgameImageLoad).format('0,0') - : getEmptyTagValue(), + count: data.endgameImageLoad ?? 0, title: ( ), id: 'endgameImageLoad', }, { - description: - has('endgameNetwork', data) && data.endgameNetwork !== null - ? numeral(data.endgameNetwork).format('0,0') - : getEmptyTagValue(), + count: data.endgameNetwork ?? 0, title: ( - + ), id: 'endgameNetwork', }, { - description: - has('endgameProcess', data) && data.endgameProcess !== null - ? numeral(data.endgameProcess).format('0,0') - : getEmptyTagValue(), + count: data.endgameProcess ?? 0, title: ( - + ), id: 'endgameProcess', }, { - description: - has('endgameRegistry', data) && data.endgameRegistry !== null - ? numeral(data.endgameRegistry).format('0,0') - : getEmptyTagValue(), + count: data.endgameRegistry ?? 0, title: ( - + ), id: 'endgameRegistry', }, { - description: - has('endgameSecurity', data) && data.endgameSecurity !== null - ? numeral(data.endgameSecurity).format('0,0') - : getEmptyTagValue(), + count: data.endgameSecurity ?? 0, title: ( - + ), id: 'endgameSecurity', }, { - description: - has('filebeatSystemModule', data) && data.filebeatSystemModule !== null - ? numeral(data.filebeatSystemModule).format('0,0') - : getEmptyTagValue(), + count: data.filebeatSystemModule ?? 0, title: ( ), id: 'filebeatSystemModule', }, { - description: - has('winlogbeat', data) && data.winlogbeat !== null - ? numeral(data.winlogbeat).format('0,0') - : getEmptyTagValue(), + count: data.winlogbeat ?? 0, title: ( ), @@ -214,31 +125,128 @@ const overviewHostStats = (data: OverviewHostData) => [ }, ]; -export const DescriptionListDescription = styled(EuiDescriptionListDescription)` - text-align: right; +const HostStatsContainer = styled.div` + .accordion-button { + width: 100%; + } +`; + +const hostStatGroups: StatGroup[] = [ + { + groupId: 'auditbeat', + name: ( + + ), + statIds: [ + 'auditbeatAuditd', + 'auditbeatFIM', + 'auditbeatLogin', + 'auditbeatPackage', + 'auditbeatProcess', + 'auditbeatUser', + ], + }, + { + groupId: 'endgame', + name: ( + + ), + statIds: [ + 'endgameDns', + 'endgameFile', + 'endgameImageLoad', + 'endgameNetwork', + 'endgameProcess', + 'endgameRegistry', + 'endgameSecurity', + ], + }, + { + groupId: 'filebeat', + name: ( + + ), + statIds: ['filebeatSystemModule'], + }, + { + groupId: 'winlogbeat', + name: ( + + ), + statIds: ['winlogbeat'], + }, +]; + +const Title = styled.div` + margin-left: 24px; `; -DescriptionListDescription.displayName = 'DescriptionListDescription'; +export const OverviewHostStats = React.memo(({ data, loading }) => { + const allHostStats = getOverviewHostStats(data); + const allHostStatsCount = allHostStats.reduce((total, stat) => total + stat.count, 0); -const StatValue = React.memo<{ isLoading: boolean; value: React.ReactNode | null | undefined }>( - ({ isLoading, value }) => ( - <>{isLoading ? : value != null ? value : getEmptyTagValue()} - ) -); + return ( + + {hostStatGroups.map((statGroup, i) => { + const statsForGroup = allHostStats.filter(s => statGroup.statIds.includes(s.id)); + const statsForGroupCount = statsForGroup.reduce((total, stat) => total + stat.count, 0); -StatValue.displayName = 'StatValue'; + const accordionButton = useMemo( + () => ( + + + {statGroup.name} + + + + + + ), + [statGroup, statsForGroupCount, loading, allHostStatsCount] + ); -export const OverviewHostStats = React.memo(({ data, loading }) => ( - - {overviewHostStats(data).map((item, index) => ( - - {item.title} - - - - - ))} - -)); + return ( + + + {statsForGroup.map(stat => ( + + + + {stat.title} + + + + + + + ))} + + {i !== hostStatGroups.length - 1 && } + + ); + })} + + ); +}); OverviewHostStats.displayName = 'OverviewHostStats'; diff --git a/x-pack/legacy/plugins/siem/public/components/page/overview/overview_network/index.tsx b/x-pack/legacy/plugins/siem/public/components/page/overview/overview_network/index.tsx index af8c87ff385968..36af58c4879a78 100644 --- a/x-pack/legacy/plugins/siem/public/components/page/overview/overview_network/index.tsx +++ b/x-pack/legacy/plugins/siem/public/components/page/overview/overview_network/index.tsx @@ -5,23 +5,28 @@ */ import { EuiButton, EuiFlexItem, EuiPanel } from '@elastic/eui'; +import numeral from '@elastic/numeral'; import { FormattedMessage } from '@kbn/i18n/react'; import React from 'react'; +import { DEFAULT_NUMBER_FORMAT } from '../../../../../common/constants'; +import { ESQuery } from '../../../../../common/typed_json'; import { HeaderSection } from '../../../header_section'; +import { useUiSetting$ } from '../../../../lib/kibana'; import { manageQuery } from '../../../page/manage_query'; import { ID as OverviewNetworkQueryId, OverviewNetworkQuery, } from '../../../../containers/overview/overview_network'; import { inputsModel } from '../../../../store/inputs'; -import { OverviewNetworkStats } from '../overview_network_stats'; +import { getOverviewNetworkStats, OverviewNetworkStats } from '../overview_network_stats'; import { getNetworkUrl } from '../../../link_to'; import { InspectButtonContainer } from '../../../inspect'; export interface OwnProps { startDate: number; endDate: number; + filterQuery?: ESQuery | string; setQuery: ({ id, inspect, @@ -37,49 +42,76 @@ export interface OwnProps { const OverviewNetworkStatsManage = manageQuery(OverviewNetworkStats); -const OverviewNetworkComponent: React.FC = ({ endDate, startDate, setQuery }) => ( - - - - - } - title={ - - } - > - - - - +export const OverviewNetwork = React.memo( + ({ endDate, filterQuery, startDate, setQuery }) => { + const [defaultNumberFormat] = useUiSetting$(DEFAULT_NUMBER_FORMAT); - - {({ overviewNetwork, loading, id, inspect, refetch }) => ( - - )} - - - - + return ( + + + + + {({ overviewNetwork, loading, id, inspect, refetch }) => { + const networkEventsCount = getOverviewNetworkStats(overviewNetwork).reduce( + (total, stat) => total + stat.count, + 0 + ); + const formattedNetworkEventsCount = numeral(networkEventsCount).format( + defaultNumberFormat + ); + + return ( + <> + + } + title={ + + } + > + + + + + + + + ); + }} + + + + + ); + } ); -export const OverviewNetwork = React.memo(OverviewNetworkComponent); +OverviewNetwork.displayName = 'OverviewNetwork'; diff --git a/x-pack/legacy/plugins/siem/public/components/page/overview/overview_network_stats/__snapshots__/index.test.tsx.snap b/x-pack/legacy/plugins/siem/public/components/page/overview/overview_network_stats/__snapshots__/index.test.tsx.snap index 9db61c474e2200..4544c05f7b180d 100644 --- a/x-pack/legacy/plugins/siem/public/components/page/overview/overview_network_stats/__snapshots__/index.test.tsx.snap +++ b/x-pack/legacy/plugins/siem/public/components/page/overview/overview_network_stats/__snapshots__/index.test.tsx.snap @@ -1,143 +1,407 @@ // Jest Snapshot v1, https://goo.gl/fbAQLP exports[`Overview Network Stat Data rendering it renders the default OverviewNetworkStats 1`] = ` - - - - - + + + + + + + + + + } + buttonContentClassName="accordion-button" + id="network-stat-accordion-groupauditbeat" + initialIsOpen={false} + paddingSize="none" > - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + } + buttonContentClassName="accordion-button" + id="network-stat-accordion-groupfilebeat" + initialIsOpen={false} + paddingSize="none" > - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + } + buttonContentClassName="accordion-button" + id="network-stat-accordion-grouppacketbeat" + initialIsOpen={false} + paddingSize="none" > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + `; diff --git a/x-pack/legacy/plugins/siem/public/components/page/overview/overview_network_stats/index.test.tsx b/x-pack/legacy/plugins/siem/public/components/page/overview/overview_network_stats/index.test.tsx index 08093c5d38c151..cf1a7d20b73eca 100644 --- a/x-pack/legacy/plugins/siem/public/components/page/overview/overview_network_stats/index.test.tsx +++ b/x-pack/legacy/plugins/siem/public/components/page/overview/overview_network_stats/index.test.tsx @@ -4,11 +4,12 @@ * you may not use this file except in compliance with the Elastic License. */ -import { shallow } from 'enzyme'; +import { mount, shallow } from 'enzyme'; import React from 'react'; import { OverviewNetworkStats } from '.'; import { mockData } from './mock'; +import { TestProviders } from '../../../../mock/test_providers'; describe('Overview Network Stat Data', () => { describe('rendering', () => { @@ -20,28 +21,52 @@ describe('Overview Network Stat Data', () => { }); }); describe('loading', () => { - test('it does not show loading indicator when not loading', () => { - const wrapper = shallow( - + test('it does NOT show loading indicator when loading is false', () => { + const wrapper = mount( + + + ); - const loadingWrapper = wrapper - .dive() - .find('[data-test-subj="network-stat-auditbeatSocket"]') + // click the accordion to expand it + wrapper + .find('button') .first() - .childAt(0); - expect(loadingWrapper.prop('isLoading')).toBe(false); + .simulate('click'); + wrapper.update(); + + expect( + wrapper + .find('[data-test-subj="network-stat-auditbeatSocket"]') + .first() + .find('[data-test-subj="stat-value-loading-spinner"]') + .first() + .exists() + ).toBe(false); }); - test('it does show loading indicator when not loading', () => { - const wrapper = shallow( - + + test('it shows the loading indicator when loading is true', () => { + const wrapper = mount( + + + ); - const loadingWrapper = wrapper - .dive() - .find('[data-test-subj="network-stat-auditbeatSocket"]') + + // click the accordion to expand it + wrapper + .find('button') .first() - .childAt(0); - expect(loadingWrapper.prop('isLoading')).toBe(true); + .simulate('click'); + wrapper.update(); + + expect( + wrapper + .find('[data-test-subj="network-stat-auditbeatSocket"]') + .first() + .find('[data-test-subj="stat-value-loading-spinner"]') + .first() + .exists() + ).toBe(true); }); }); }); diff --git a/x-pack/legacy/plugins/siem/public/components/page/overview/overview_network_stats/index.tsx b/x-pack/legacy/plugins/siem/public/components/page/overview/overview_network_stats/index.tsx index 81d374bc0286bc..123f7f21a75fd9 100644 --- a/x-pack/legacy/plugins/siem/public/components/page/overview/overview_network_stats/index.tsx +++ b/x-pack/legacy/plugins/siem/public/components/page/overview/overview_network_stats/index.tsx @@ -4,168 +4,191 @@ * you may not use this file except in compliance with the Elastic License. */ -import { - EuiDescriptionList, - EuiDescriptionListDescription, - EuiDescriptionListTitle, - EuiLoadingSpinner, -} from '@elastic/eui'; -import numeral from '@elastic/numeral'; +import { EuiAccordion, EuiFlexGroup, EuiFlexItem, EuiHorizontalRule, EuiText } from '@elastic/eui'; import { FormattedMessage } from '@kbn/i18n/react'; -import { has } from 'lodash/fp'; -import React from 'react'; +import React, { useMemo } from 'react'; import styled from 'styled-components'; import { OverviewNetworkData } from '../../../../graphql/types'; -import { getEmptyTagValue } from '../../../empty_value'; +import { FormattedStat, StatGroup } from '../types'; +import { StatValue } from '../stat_value'; interface OverviewNetworkProps { data: OverviewNetworkData; loading: boolean; } -const overviewNetworkStats = (data: OverviewNetworkData) => [ +export const getOverviewNetworkStats = (data: OverviewNetworkData): FormattedStat[] => [ { - description: - has('auditbeatSocket', data) && data.auditbeatSocket !== null - ? numeral(data.auditbeatSocket).format('0,0') - : getEmptyTagValue(), + count: data.auditbeatSocket ?? 0, title: ( - + ), id: 'auditbeatSocket', }, { - description: - has('filebeatCisco', data) && data.filebeatCisco !== null - ? numeral(data.filebeatCisco).format('0,0') - : getEmptyTagValue(), - title: ( - - ), + count: data.filebeatCisco ?? 0, + title: , id: 'filebeatCisco', }, { - description: - has('filebeatNetflow', data) && data.filebeatNetflow !== null - ? numeral(data.filebeatNetflow).format('0,0') - : getEmptyTagValue(), + count: data.filebeatNetflow ?? 0, title: ( - + ), id: 'filebeatNetflow', }, { - description: - has('filebeatPanw', data) && data.filebeatPanw !== null - ? numeral(data.filebeatPanw).format('0,0') - : getEmptyTagValue(), + count: data.filebeatPanw ?? 0, title: ( ), id: 'filebeatPanw', }, { - description: - has('filebeatSuricata', data) && data.filebeatSuricata !== null - ? numeral(data.filebeatSuricata).format('0,0') - : getEmptyTagValue(), + count: data.filebeatSuricata ?? 0, title: ( - + ), id: 'filebeatSuricata', }, { - description: - has('filebeatZeek', data) && data.filebeatZeek !== null - ? numeral(data.filebeatZeek).format('0,0') - : getEmptyTagValue(), - title: ( - - ), + count: data.filebeatZeek ?? 0, + title: , id: 'filebeatZeek', }, { - description: - has('packetbeatDNS', data) && data.packetbeatDNS !== null - ? numeral(data.packetbeatDNS).format('0,0') - : getEmptyTagValue(), - title: ( + count: data.packetbeatDNS ?? 0, + title: , + id: 'packetbeatDNS', + }, + { + count: data.packetbeatFlow ?? 0, + title: , + id: 'packetbeatFlow', + }, + { + count: data.packetbeatTLS ?? 0, + title: , + id: 'packetbeatTLS', + }, +]; + +const networkStatGroups: StatGroup[] = [ + { + groupId: 'auditbeat', + name: ( ), - id: 'packetbeatDNS', + statIds: ['auditbeatSocket'], }, { - description: - has('packetbeatFlow', data) && data.packetbeatFlow !== null - ? numeral(data.packetbeatFlow).format('0,0') - : getEmptyTagValue(), - title: ( + groupId: 'filebeat', + name: ( ), - id: 'packetbeatFlow', + statIds: [ + 'filebeatCisco', + 'filebeatNetflow', + 'filebeatPanw', + 'filebeatSuricata', + 'filebeatZeek', + ], }, { - description: - has('packetbeatTLS', data) && data.packetbeatTLS !== null - ? numeral(data.packetbeatTLS).format('0,0') - : getEmptyTagValue(), - title: ( + groupId: 'packetbeat', + name: ( ), - id: 'packetbeatTLS', + statIds: ['packetbeatDNS', 'packetbeatFlow', 'packetbeatTLS'], }, ]; -export const DescriptionListDescription = styled(EuiDescriptionListDescription)` - text-align: right; +const NetworkStatsContainer = styled.div` + .accordion-button { + width: 100%; + } +`; + +const Title = styled.div` + margin-left: 24px; `; -DescriptionListDescription.displayName = 'DescriptionListDescription'; +export const OverviewNetworkStats = React.memo(({ data, loading }) => { + const allNetworkStats = getOverviewNetworkStats(data); + const allNetworkStatsCount = allNetworkStats.reduce((total, stat) => total + stat.count, 0); -const StatValue = React.memo<{ isLoading: boolean; value: React.ReactNode | null | undefined }>( - ({ isLoading, value }) => ( - <>{isLoading ? : value != null ? value : getEmptyTagValue()} - ) -); + return ( + + {networkStatGroups.map((statGroup, i) => { + const statsForGroup = allNetworkStats.filter(s => statGroup.statIds.includes(s.id)); + const statsForGroupCount = statsForGroup.reduce((total, stat) => total + stat.count, 0); -StatValue.displayName = 'StatValue'; + const accordionButton = useMemo( + () => ( + + + {statGroup.name} + + + + + + ), + [statGroup, statsForGroupCount, loading, allNetworkStatsCount] + ); -export const OverviewNetworkStats = React.memo(({ data, loading }) => ( - - {overviewNetworkStats(data).map((item, index) => ( - - {item.title} - - - - - ))} - -)); + return ( + + + {statsForGroup.map(stat => ( + + + + {stat.title} + + + + + + + ))} + + {i !== networkStatGroups.length - 1 && } + + ); + })} + + ); +}); OverviewNetworkStats.displayName = 'OverviewNetworkStats'; diff --git a/x-pack/legacy/plugins/siem/public/components/page/overview/stat_value.tsx b/x-pack/legacy/plugins/siem/public/components/page/overview/stat_value.tsx new file mode 100644 index 00000000000000..5a496ba78eb6c6 --- /dev/null +++ b/x-pack/legacy/plugins/siem/public/components/page/overview/stat_value.tsx @@ -0,0 +1,54 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { EuiFlexGroup, EuiFlexItem, EuiLoadingSpinner, EuiProgress, EuiText } from '@elastic/eui'; +import numeral from '@elastic/numeral'; +import React from 'react'; +import styled from 'styled-components'; + +import { DEFAULT_NUMBER_FORMAT } from '../../../../common/constants'; +import { useUiSetting$ } from '../../../lib/kibana'; + +const ProgressContainer = styled.div` + width: 100px; +`; + +export const StatValue = React.memo<{ + count: number; + isLoading: boolean; + isGroupStat: boolean; + max: number; +}>(({ count, isGroupStat, isLoading, max }) => { + const [defaultNumberFormat] = useUiSetting$(DEFAULT_NUMBER_FORMAT); + + return ( + <> + {isLoading ? ( + + ) : ( + + + + {numeral(count).format(defaultNumberFormat)} + + + + + + + + + )} + + ); +}); + +StatValue.displayName = 'StatValue'; diff --git a/x-pack/legacy/plugins/siem/public/components/page/overview/types.ts b/x-pack/legacy/plugins/siem/public/components/page/overview/types.ts new file mode 100644 index 00000000000000..9333aa386dbc06 --- /dev/null +++ b/x-pack/legacy/plugins/siem/public/components/page/overview/types.ts @@ -0,0 +1,43 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +export type OverviewStatId = + | 'auditbeatAuditd' + | 'auditbeatFIM' + | 'auditbeatLogin' + | 'auditbeatPackage' + | 'auditbeatProcess' + | 'auditbeatSocket' + | 'auditbeatUser' + | 'endgameDns' + | 'endgameFile' + | 'endgameImageLoad' + | 'endgameNetwork' + | 'endgameProcess' + | 'endgameRegistry' + | 'endgameSecurity' + | 'filebeatCisco' + | 'filebeatNetflow' + | 'filebeatPanw' + | 'filebeatSuricata' + | 'filebeatSystemModule' + | 'filebeatZeek' + | 'packetbeatDNS' + | 'packetbeatFlow' + | 'packetbeatTLS' + | 'winlogbeat'; + +export interface FormattedStat { + count: number; + id: OverviewStatId; + title: React.ReactNode; +} + +export interface StatGroup { + name: string | React.ReactNode; + groupId: string; + statIds: OverviewStatId[]; +} diff --git a/x-pack/legacy/plugins/siem/public/components/recent_timelines/counts/index.tsx b/x-pack/legacy/plugins/siem/public/components/recent_timelines/counts/index.tsx new file mode 100644 index 00000000000000..42ac3c19ff792c --- /dev/null +++ b/x-pack/legacy/plugins/siem/public/components/recent_timelines/counts/index.tsx @@ -0,0 +1,59 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { EuiFlexGroup, EuiFlexItem, EuiIcon, EuiText, EuiToolTip } from '@elastic/eui'; +import React from 'react'; +import styled from 'styled-components'; + +import { getPinnedEventCount, getNotesCount } from '../../open_timeline/helpers'; +import { OpenTimelineResult } from '../../open_timeline/types'; + +import * as i18n from '../translations'; + +const Icon = styled(EuiIcon)` + margin-right: 8px; +`; + +const FlexGroup = styled(EuiFlexGroup)` + margin-right: 16px; +`; + +const IconWithCount = React.memo<{ count: number; icon: string; tooltip: string }>( + ({ count, icon, tooltip }) => ( + + + + + + + + + {count} + + + + + ) +); + +IconWithCount.displayName = 'IconWithCount'; + +export const RecentTimelineCounts = React.memo<{ + timeline: OpenTimelineResult; +}>(({ timeline }) => { + return ( + <> + + + + ); +}); + +RecentTimelineCounts.displayName = 'RecentTimelineCounts'; diff --git a/x-pack/legacy/plugins/siem/public/components/recent_timelines/filters/index.tsx b/x-pack/legacy/plugins/siem/public/components/recent_timelines/filters/index.tsx new file mode 100644 index 00000000000000..de8a3de8094d04 --- /dev/null +++ b/x-pack/legacy/plugins/siem/public/components/recent_timelines/filters/index.tsx @@ -0,0 +1,39 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { EuiButtonGroup, EuiButtonGroupOption } from '@elastic/eui'; +import React from 'react'; + +import { FilterMode } from '../types'; + +const toggleButtonIcons: EuiButtonGroupOption[] = [ + { + id: 'favorites', + label: 'Favorites', + iconType: 'starFilled', + }, + { + id: `recently-updated`, + label: 'Last updated', + iconType: 'documentEdit', + }, +]; + +export const Filters = React.memo<{ + filterBy: FilterMode; + setFilterBy: (filterBy: FilterMode) => void; +}>(({ filterBy, setFilterBy }) => ( + { + setFilterBy(f as FilterMode); + }} + isIconOnly + /> +)); + +Filters.displayName = 'Filters'; diff --git a/x-pack/legacy/plugins/siem/public/components/recent_timelines/header/index.tsx b/x-pack/legacy/plugins/siem/public/components/recent_timelines/header/index.tsx new file mode 100644 index 00000000000000..886a2345248a2a --- /dev/null +++ b/x-pack/legacy/plugins/siem/public/components/recent_timelines/header/index.tsx @@ -0,0 +1,66 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { + EuiFlexGroup, + EuiFlexItem, + EuiText, + EuiLink, + EuiToolTip, + EuiButtonIcon, +} from '@elastic/eui'; +import React from 'react'; + +import { isUntitled } from '../../open_timeline/helpers'; +import { OnOpenTimeline, OpenTimelineResult } from '../../open_timeline/types'; + +import * as i18n from '../translations'; + +export interface MeApiResponse { + username: string; +} + +export const RecentTimelineHeader = React.memo<{ + onOpenTimeline: OnOpenTimeline; + timeline: OpenTimelineResult; +}>(({ onOpenTimeline, timeline }) => { + const { title, savedObjectId } = timeline; + + return ( + + + + onOpenTimeline({ duplicate: false, timelineId: `${savedObjectId}` })} + > + {isUntitled(timeline) ? i18n.UNTITLED_TIMELINE : title} + + + + + + + + onOpenTimeline({ + duplicate: true, + timelineId: `${savedObjectId}`, + }) + } + size="s" + /> + + + + ); +}); + +RecentTimelineHeader.displayName = 'RecentTimelineHeader'; diff --git a/x-pack/legacy/plugins/siem/public/components/recent_timelines/helpers.ts b/x-pack/legacy/plugins/siem/public/components/recent_timelines/helpers.ts new file mode 100644 index 00000000000000..61b49da01dc3aa --- /dev/null +++ b/x-pack/legacy/plugins/siem/public/components/recent_timelines/helpers.ts @@ -0,0 +1,26 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { throwIfNotOk } from '../../hooks/api/api'; +import { MeApiResponse } from './recent_timelines'; + +export const getMeApiUrl = (getBasePath: () => string): string => + `${getBasePath()}/internal/security/me`; + +export const fetchUsername = async (meApiUrl: string) => { + const response = await fetch(meApiUrl, { + method: 'GET', + credentials: 'same-origin', + headers: { + 'content-type': 'application/json', + }, + }); + + await throwIfNotOk(response); + const apiResponse: MeApiResponse = await response.json(); + + return apiResponse.username; +}; diff --git a/x-pack/legacy/plugins/siem/public/components/recent_timelines/index.tsx b/x-pack/legacy/plugins/siem/public/components/recent_timelines/index.tsx new file mode 100644 index 00000000000000..f1e22d1901d47b --- /dev/null +++ b/x-pack/legacy/plugins/siem/public/components/recent_timelines/index.tsx @@ -0,0 +1,141 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import ApolloClient from 'apollo-client'; +import { EuiHorizontalRule, EuiLink, EuiLoadingSpinner, EuiText } from '@elastic/eui'; +import React, { useCallback, useEffect, useMemo, useState } from 'react'; +import { connect } from 'react-redux'; +import { Dispatch } from 'redux'; +import { ActionCreator } from 'typescript-fsa'; +import chrome from 'ui/chrome'; + +import { AllTimelinesQuery } from '../../containers/timeline/all'; +import { SortFieldTimeline, Direction } from '../../graphql/types'; +import { fetchUsername, getMeApiUrl } from './helpers'; +import { queryTimelineById, dispatchUpdateTimeline } from '../open_timeline/helpers'; +import { DispatchUpdateTimeline, OnOpenTimeline } from '../open_timeline/types'; +import { RecentTimelines } from './recent_timelines'; +import { updateIsLoading as dispatchUpdateIsLoading } from '../../store/timeline/actions'; +import { FilterMode } from './types'; + +import * as i18n from './translations'; + +export interface MeApiResponse { + username: string; +} + +interface OwnProps { + apolloClient: ApolloClient<{}>; + filterBy: FilterMode; +} + +interface DispatchProps { + updateIsLoading: ({ id, isLoading }: { id: string; isLoading: boolean }) => void; + updateTimeline: DispatchUpdateTimeline; +} + +export type Props = OwnProps & DispatchProps; + +const StatefulRecentTimelinesComponent = React.memo( + ({ apolloClient, filterBy, updateIsLoading, updateTimeline }) => { + const actionDispatcher = updateIsLoading as ActionCreator<{ id: string; isLoading: boolean }>; + const [username, setUsername] = useState(undefined); + const LoadingSpinner = useMemo(() => , []); + const onOpenTimeline: OnOpenTimeline = useCallback( + ({ duplicate, timelineId }: { duplicate: boolean; timelineId: string }) => { + queryTimelineById({ + apolloClient, + duplicate, + timelineId, + updateIsLoading: actionDispatcher, + updateTimeline, + }); + }, + [apolloClient, updateIsLoading, updateTimeline] + ); + + useEffect(() => { + let canceled = false; + + const fetchData = async () => { + try { + const loggedInUser = await fetchUsername(getMeApiUrl(chrome.getBasePath)); + + if (!canceled) { + setUsername(loggedInUser); + } + } catch (e) { + if (!canceled) { + setUsername(null); + } + } + }; + + fetchData(); + + return () => { + canceled = true; + }; + }, []); + + if (username === undefined) { + return LoadingSpinner; + } else if (username == null) { + return null; + } + + // TODO: why does `createdBy: ` specified as a `search` query does not match results? + + const noTimelinesMessage = + filterBy === 'favorites' ? i18n.NO_FAVORITE_TIMELINES : i18n.NO_TIMELINES; + + return ( + + {({ timelines, loading }) => ( + <> + {loading ? ( + <>{LoadingSpinner} + ) : ( + + )} + + + {i18n.VIEW_ALL_TIMELINES} + + + )} + + ); + } +); + +StatefulRecentTimelinesComponent.displayName = 'StatefulRecentTimelinesComponent'; + +const mapDispatchToProps = (dispatch: Dispatch) => ({ + updateIsLoading: ({ id, isLoading }: { id: string; isLoading: boolean }) => + dispatch(dispatchUpdateIsLoading({ id, isLoading })), + updateTimeline: dispatchUpdateTimeline(dispatch), +}); + +export const StatefulRecentTimelines = connect( + null, + mapDispatchToProps +)(StatefulRecentTimelinesComponent); diff --git a/x-pack/legacy/plugins/siem/public/components/recent_timelines/recent_timelines.tsx b/x-pack/legacy/plugins/siem/public/components/recent_timelines/recent_timelines.tsx new file mode 100644 index 00000000000000..a310d0613d49c5 --- /dev/null +++ b/x-pack/legacy/plugins/siem/public/components/recent_timelines/recent_timelines.tsx @@ -0,0 +1,55 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { EuiSpacer, EuiText } from '@elastic/eui'; +import React from 'react'; + +import { RecentTimelineHeader } from './header'; +import { OnOpenTimeline, OpenTimelineResult } from '../open_timeline/types'; + +import { RecentTimelineCounts } from './counts'; + +export interface MeApiResponse { + username: string; +} + +export const RecentTimelines = React.memo<{ + noTimelinesMessage: string; + onOpenTimeline: OnOpenTimeline; + timelines: OpenTimelineResult[]; +}>(({ noTimelinesMessage, onOpenTimeline, timelines }) => { + if (timelines.length === 0) { + return ( + <> + + {noTimelinesMessage} + + + ); + } + + return ( + <> + {timelines.map((t, i) => ( +
+ + + {t.description && t.description.length && ( + <> + + + {t.description} + + + )} + {i !== timelines.length - 1 && } +
+ ))} + + ); +}); + +RecentTimelines.displayName = 'RecentTimelines'; diff --git a/x-pack/legacy/plugins/siem/public/components/recent_timelines/translations.ts b/x-pack/legacy/plugins/siem/public/components/recent_timelines/translations.ts new file mode 100644 index 00000000000000..e547272fde6e16 --- /dev/null +++ b/x-pack/legacy/plugins/siem/public/components/recent_timelines/translations.ts @@ -0,0 +1,55 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { i18n } from '@kbn/i18n'; + +export const ERROR_RETRIEVING_USER_DETAILS = i18n.translate( + 'xpack.siem.recentTimelines.errorRetrievingUserDetailsMessage', + { + defaultMessage: 'Recent Timelines: An error occurred while retrieving user details', + } +); + +export const NO_FAVORITE_TIMELINES = i18n.translate( + 'xpack.siem.recentTimelines.noFavoriteTimelinesMessage', + { + defaultMessage: + "You haven't favorited any timelines yet. Get out there and start threat hunting!", + } +); + +export const NO_TIMELINES = i18n.translate('xpack.siem.recentTimelines.noTimelinesMessage', { + defaultMessage: "You haven't created any timelines yet. Get out there and start threat hunting!", +}); + +export const NOTES = i18n.translate('xpack.siem.recentTimelines.notesTooltip', { + defaultMessage: 'Notes', +}); + +export const OPEN_AS_DUPLICATE = i18n.translate( + 'xpack.siem.recentTimelines.openAsDuplicateTooltip', + { + defaultMessage: 'Open as a duplicate timeline', + } +); + +export const PINNED_EVENTS = i18n.translate('xpack.siem.recentTimelines.pinnedEventsTooltip', { + defaultMessage: 'Pinned events', +}); + +export const UNTITLED_TIMELINE = i18n.translate( + 'xpack.siem.recentTimelines.untitledTimelineLabel', + { + defaultMessage: 'Untitled timeline', + } +); + +export const VIEW_ALL_TIMELINES = i18n.translate( + 'xpack.siem.recentTimelines.viewAllTimelinesLink', + { + defaultMessage: 'View all timelines', + } +); diff --git a/x-pack/legacy/plugins/siem/public/components/recent_timelines/types.ts b/x-pack/legacy/plugins/siem/public/components/recent_timelines/types.ts new file mode 100644 index 00000000000000..d99209dfb1267f --- /dev/null +++ b/x-pack/legacy/plugins/siem/public/components/recent_timelines/types.ts @@ -0,0 +1,7 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +export type FilterMode = 'favorites' | 'recently-updated'; diff --git a/x-pack/legacy/plugins/siem/public/components/sidebar_header/index.tsx b/x-pack/legacy/plugins/siem/public/components/sidebar_header/index.tsx new file mode 100644 index 00000000000000..90949f1bdd1473 --- /dev/null +++ b/x-pack/legacy/plugins/siem/public/components/sidebar_header/index.tsx @@ -0,0 +1,27 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { EuiFlexGroup, EuiFlexItem, EuiHorizontalRule, EuiTitle } from '@elastic/eui'; +import React from 'react'; + +export const SidebarHeader = React.memo<{ children?: React.ReactNode; title: string }>( + ({ children, title }) => ( + <> + + + +

{title}

+ + + + {children} + + + + ) +); + +SidebarHeader.displayName = 'SidebarHeader'; diff --git a/x-pack/legacy/plugins/siem/public/components/url_state/index.test.tsx b/x-pack/legacy/plugins/siem/public/components/url_state/index.test.tsx index 67823bea9e170c..ab290c2f2fd67b 100644 --- a/x-pack/legacy/plugins/siem/public/components/url_state/index.test.tsx +++ b/x-pack/legacy/plugins/siem/public/components/url_state/index.test.tsx @@ -145,7 +145,7 @@ describe('UrlStateContainer', () => { ).toEqual({ hash: '', pathname: examplePath, - search: [CONSTANTS.overviewPage, CONSTANTS.timelinePage].includes(page) + search: [CONSTANTS.timelinePage].includes(page) ? '?timerange=(global:(linkTo:!(timeline),timerange:(from:1558048243696,fromStr:now-24h,kind:relative,to:1558134643697,toStr:now)),timeline:(linkTo:!(global),timerange:(from:1558048243696,fromStr:now-24h,kind:relative,to:1558134643697,toStr:now)))' : `?query=(language:kuery,query:'host.name:%22siem-es%22')&timerange=(global:(linkTo:!(timeline),timerange:(from:1558048243696,fromStr:now-24h,kind:relative,to:1558134643697,toStr:now)),timeline:(linkTo:!(global),timerange:(from:1558048243696,fromStr:now-24h,kind:relative,to:1558134643697,toStr:now)))`, state: '', diff --git a/x-pack/legacy/plugins/siem/public/components/url_state/types.ts b/x-pack/legacy/plugins/siem/public/components/url_state/types.ts index 09eef7f8097732..a48653a7ea6f4a 100644 --- a/x-pack/legacy/plugins/siem/public/components/url_state/types.ts +++ b/x-pack/legacy/plugins/siem/public/components/url_state/types.ts @@ -45,7 +45,13 @@ export const URL_STATE_KEYS: Record = { CONSTANTS.timerange, CONSTANTS.timeline, ], - overview: [CONSTANTS.timeline, CONSTANTS.timerange], + overview: [ + CONSTANTS.appQuery, + CONSTANTS.filters, + CONSTANTS.savedQuery, + CONSTANTS.timerange, + CONSTANTS.timeline, + ], timeline: [CONSTANTS.timeline, CONSTANTS.timerange], }; diff --git a/x-pack/legacy/plugins/siem/public/containers/matrix_histogram/index.tsx b/x-pack/legacy/plugins/siem/public/containers/matrix_histogram/index.tsx index 0167f6253c3b1e..b2b38e8c341392 100644 --- a/x-pack/legacy/plugins/siem/public/containers/matrix_histogram/index.tsx +++ b/x-pack/legacy/plugins/siem/public/containers/matrix_histogram/index.tsx @@ -4,6 +4,7 @@ * you may not use this file except in compliance with the Elastic License. */ +import { Position } from '@elastic/charts'; import React from 'react'; import { compose } from 'redux'; @@ -16,6 +17,7 @@ import { MatrixHistogram } from '../../components/matrix_histogram'; import { MatrixHistogramOption, MatrixHistogramMappingTypes, + GetTitle, GetSubTitle, } from '../../components/matrix_histogram/types'; import { UpdateDateRange } from '../../components/charts/common'; @@ -30,15 +32,17 @@ export interface OwnProps extends QueryTemplateProps { deleteQuery?: ({ id }: { id: string }) => void; isEventsType?: boolean; errorMessage: string; + headerChildren?: React.ReactNode; hideHistogramIfEmpty?: boolean; id: string; + legendPosition?: Position; mapping?: MatrixHistogramMappingTypes; query: Maybe; setQuery: SetQuery; sourceId: string; stackByOptions: MatrixHistogramOption[]; subtitle?: string | GetSubTitle; - title: string; + title: string | GetTitle; type: hostsModel.HostsType | networkModel.NetworkType; updateDateRange: UpdateDateRange; } diff --git a/x-pack/legacy/plugins/siem/public/pages/common/translations.ts b/x-pack/legacy/plugins/siem/public/pages/common/translations.ts new file mode 100644 index 00000000000000..3e203383756163 --- /dev/null +++ b/x-pack/legacy/plugins/siem/public/pages/common/translations.ts @@ -0,0 +1,27 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { i18n } from '@kbn/i18n'; + +export const EMPTY_TITLE = i18n.translate('xpack.siem.pages.common.emptyTitle', { + defaultMessage: 'Welcome to SIEM. Let’s get you started.', +}); + +export const EMPTY_MESSAGE = i18n.translate('xpack.siem.pages.common.emptyMessage', { + defaultMessage: + 'To begin using security information and event management, you’ll need to begin adding SIEM-related data to Kibana by installing and configuring our data shippers, called Beats. Let’s do that now!', +}); + +export const EMPTY_ACTION_PRIMARY = i18n.translate('xpack.siem.pages.common.emptyActionPrimary', { + defaultMessage: 'Add data with Beats', +}); + +export const EMPTY_ACTION_SECONDARY = i18n.translate( + 'xpack.siem.pages.common.emptyActionSecondary', + { + defaultMessage: 'View getting started guide', + } +); diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/detection_engine_empty_page.tsx b/x-pack/legacy/plugins/siem/public/pages/detection_engine/detection_engine_empty_page.tsx index a217fd6a737e70..bf7a2109fd3b5d 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/detection_engine_empty_page.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/detection_engine_empty_page.tsx @@ -9,7 +9,7 @@ import chrome from 'ui/chrome'; import { useKibana } from '../../lib/kibana'; import { EmptyPage } from '../../components/empty_page'; -import * as i18n from './translations'; +import * as i18n from '../common/translations'; const basePath = chrome.getBasePath(); @@ -21,8 +21,9 @@ export const DetectionEngineEmptyPage = React.memo(() => ( actionSecondaryIcon="popout" actionSecondaryLabel={i18n.EMPTY_ACTION_SECONDARY} actionSecondaryTarget="_blank" - actionSecondaryUrl={useKibana().services.docLinks.links.siem} + actionSecondaryUrl={useKibana().services.docLinks.links.siem.gettingStarted} data-test-subj="empty-page" + message={i18n.EMPTY_MESSAGE} title={i18n.EMPTY_TITLE} /> )); diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/detection_engine_no_signal_index.tsx b/x-pack/legacy/plugins/siem/public/pages/detection_engine/detection_engine_no_signal_index.tsx index 713bd6239d80e9..1be6317a91607c 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/detection_engine_no_signal_index.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/detection_engine_no_signal_index.tsx @@ -5,16 +5,18 @@ */ import React from 'react'; -import { documentationLinks } from 'ui/documentation_links'; +import chrome from 'ui/chrome'; import { EmptyPage } from '../../components/empty_page'; import * as i18n from './translations'; +const basePath = chrome.getBasePath(); + export const DetectionEngineNoIndex = React.memo(() => ( ( { actionSecondaryIcon="popout" actionSecondaryLabel={i18n.EMPTY_ACTION_SECONDARY} actionSecondaryTarget="_blank" - actionSecondaryUrl={docLinks.links.siem} + actionSecondaryUrl={docLinks.links.siem.gettingStarted} data-test-subj="empty-page" + message={i18n.EMPTY_MESSAGE} title={i18n.EMPTY_TITLE} /> ); diff --git a/x-pack/legacy/plugins/siem/public/pages/hosts/navigation/events_query_tab_body.tsx b/x-pack/legacy/plugins/siem/public/pages/hosts/navigation/events_query_tab_body.tsx index 2a7d2fab577c39..df83ad056943a6 100644 --- a/x-pack/legacy/plugins/siem/public/pages/hosts/navigation/events_query_tab_body.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/hosts/navigation/events_query_tab_body.tsx @@ -18,11 +18,15 @@ import * as i18n from '../translations'; const HOSTS_PAGE_TIMELINE_ID = 'hosts-page'; const EVENTS_HISTOGRAM_ID = 'eventsOverTimeQuery'; -const eventsStackByOptions: MatrixHistogramOption[] = [ +export const eventsStackByOptions: MatrixHistogramOption[] = [ { text: i18n.NAVIGATION_EVENTS_STACK_BY_EVENT_ACTION, value: 'event.action', }, + { + text: i18n.NAVIGATION_EVENTS_STACK_BY_EVENT_DATASET, + value: 'event.dataset', + }, ]; export const EventsQueryTabBody = ({ diff --git a/x-pack/legacy/plugins/siem/public/pages/hosts/translations.ts b/x-pack/legacy/plugins/siem/public/pages/hosts/translations.ts index e91f48a5c2c011..3541f58555c95e 100644 --- a/x-pack/legacy/plugins/siem/public/pages/hosts/translations.ts +++ b/x-pack/legacy/plugins/siem/public/pages/hosts/translations.ts @@ -60,23 +60,17 @@ export const NAVIGATION_EVENTS_STACK_BY_EVENT_ACTION = i18n.translate( } ); +export const NAVIGATION_EVENTS_STACK_BY_EVENT_DATASET = i18n.translate( + 'xpack.siem.hosts.navigation.eventsStackByEventDataset', + { + defaultMessage: 'dataset', + } +); + export const NAVIGATION_ALERTS_TITLE = i18n.translate('xpack.siem.hosts.navigation.alertsTitle', { defaultMessage: 'Alerts', }); -export const EMPTY_TITLE = i18n.translate('xpack.siem.hosts.emptyTitle', { - defaultMessage: - 'It looks like you don’t have any indices relevant to hosts in the SIEM application', -}); - -export const EMPTY_ACTION_PRIMARY = i18n.translate('xpack.siem.hosts.emptyActionPrimary', { - defaultMessage: 'View setup instructions', -}); - -export const EMPTY_ACTION_SECONDARY = i18n.translate('xpack.siem.hosts.emptyActionSecondary', { - defaultMessage: 'Go to documentation', -}); - export const ERROR_FETCHING_AUTHENTICATIONS_DATA = i18n.translate( 'xpack.siem.hosts.navigaton.matrixHistogram.errorFetchingAuthenticationsData', { diff --git a/x-pack/legacy/plugins/siem/public/pages/network/network_empty_page.tsx b/x-pack/legacy/plugins/siem/public/pages/network/network_empty_page.tsx index e22802fd29d49e..78a3ae147fd0fc 100644 --- a/x-pack/legacy/plugins/siem/public/pages/network/network_empty_page.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/network/network_empty_page.tsx @@ -9,7 +9,7 @@ import chrome from 'ui/chrome'; import { useKibana } from '../../lib/kibana'; import { EmptyPage } from '../../components/empty_page'; -import * as i18n from './translations'; +import * as i18n from '../common/translations'; const basePath = chrome.getBasePath(); @@ -24,9 +24,10 @@ export const NetworkEmptyPage = React.memo(() => { actionSecondaryIcon="popout" actionSecondaryLabel={i18n.EMPTY_ACTION_SECONDARY} actionSecondaryTarget="_blank" - actionSecondaryUrl={docLinks.links.siem} + actionSecondaryUrl={docLinks.links.siem.gettingStarted} data-test-subj="empty-page" title={i18n.EMPTY_TITLE} + message={i18n.EMPTY_MESSAGE} /> ); }); diff --git a/x-pack/legacy/plugins/siem/public/pages/network/translations.ts b/x-pack/legacy/plugins/siem/public/pages/network/translations.ts index 35224fd6159788..00adce9b7ad8a1 100644 --- a/x-pack/legacy/plugins/siem/public/pages/network/translations.ts +++ b/x-pack/legacy/plugins/siem/public/pages/network/translations.ts @@ -14,19 +14,6 @@ export const PAGE_TITLE = i18n.translate('xpack.siem.network.pageTitle', { defaultMessage: 'Network', }); -export const EMPTY_TITLE = i18n.translate('xpack.siem.network.emptyTitle', { - defaultMessage: - 'It looks like you don’t have any indices relevant to network in the SIEM application', -}); - -export const EMPTY_ACTION_PRIMARY = i18n.translate('xpack.siem.network.emptyActionPrimary', { - defaultMessage: 'View setup instructions', -}); - -export const EMPTY_ACTION_SECONDARY = i18n.translate('xpack.siem.network.emptyActionSecondary', { - defaultMessage: 'Go to documentation', -}); - export const NAVIGATION_FLOWS_TITLE = i18n.translate('xpack.siem.network.navigation.flowsTitle', { defaultMessage: 'Flows', }); diff --git a/x-pack/legacy/plugins/siem/public/pages/overview/alerts_by_category/index.tsx b/x-pack/legacy/plugins/siem/public/pages/overview/alerts_by_category/index.tsx new file mode 100644 index 00000000000000..b038dc383df1ed --- /dev/null +++ b/x-pack/legacy/plugins/siem/public/pages/overview/alerts_by_category/index.tsx @@ -0,0 +1,127 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { EuiButton } from '@elastic/eui'; +import numeral from '@elastic/numeral'; +import React, { useCallback, useMemo } from 'react'; +import { esFilters, IIndexPattern, Query } from 'src/plugins/data/public'; +import styled from 'styled-components'; + +import { + ERROR_FETCHING_ALERTS_DATA, + SHOWING, + UNIT, +} from '../../../components/alerts_viewer/translations'; +import { alertsStackByOptions } from '../../../components/alerts_viewer'; +import { getTabsOnHostsUrl } from '../../../components/link_to/redirect_to_hosts'; +import { MatrixHistogramContainer } from '../../../containers/matrix_histogram'; +import { MatrixHistogramGqlQuery } from '../../../containers/matrix_histogram/index.gql_query'; +import { MatrixHistogramOption } from '../../../components/matrix_histogram/types'; +import { useKibana, useUiSetting$ } from '../../../lib/kibana'; +import { convertToBuildEsQuery } from '../../../lib/keury'; +import { SetAbsoluteRangeDatePicker } from '../../network/types'; +import { esQuery } from '../../../../../../../../src/plugins/data/public'; +import { inputsModel } from '../../../store'; +import { HostsTableType, HostsType } from '../../../store/hosts/model'; +import { DEFAULT_NUMBER_FORMAT } from '../../../../common/constants'; + +import * as i18n from '../translations'; + +const ID = 'alertsByCategoryOverview'; + +const NO_FILTERS: esFilters.Filter[] = []; +const DEFAULT_QUERY: Query = { query: '', language: 'kuery' }; + +interface Props { + deleteQuery?: ({ id }: { id: string }) => void; + filters?: esFilters.Filter[]; + from: number; + indexPattern: IIndexPattern; + query?: Query; + setAbsoluteRangeDatePicker: SetAbsoluteRangeDatePicker; + setQuery: (params: { + id: string; + inspect: inputsModel.InspectQuery | null; + loading: boolean; + refetch: inputsModel.Refetch; + }) => void; + to: number; +} + +const ViewAlertsButton = styled(EuiButton)` + margin-left: 8px; +`; + +export const AlertsByCategory = React.memo( + ({ + deleteQuery, + filters = NO_FILTERS, + from, + indexPattern, + query = DEFAULT_QUERY, + setAbsoluteRangeDatePicker, + setQuery, + to, + }) => { + const kibana = useKibana(); + const [defaultNumberFormat] = useUiSetting$(DEFAULT_NUMBER_FORMAT); + const updateDateRangeCallback = useCallback( + (min: number, max: number) => { + setAbsoluteRangeDatePicker!({ id: 'global', from: min, to: max }); + }, + [setAbsoluteRangeDatePicker] + ); + const alertsCountViewAlertsButton = useMemo( + () => ( + + {i18n.VIEW_ALERTS} + + ), + [] + ); + + const getTitle = useCallback( + (option: MatrixHistogramOption) => i18n.ALERTS_COUNT_BY(option.text), + [] + ); + const getSubtitle = useCallback( + (totalCount: number) => + `${SHOWING}: ${numeral(totalCount).format(defaultNumberFormat)} ${UNIT(totalCount)}`, + [] + ); + + return ( + + ); + } +); + +AlertsByCategory.displayName = 'AlertsByCategory'; diff --git a/x-pack/legacy/plugins/siem/public/pages/overview/event_counts/index.tsx b/x-pack/legacy/plugins/siem/public/pages/overview/event_counts/index.tsx new file mode 100644 index 00000000000000..d0bb46a1965dc6 --- /dev/null +++ b/x-pack/legacy/plugins/siem/public/pages/overview/event_counts/index.tsx @@ -0,0 +1,80 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { EuiFlexGroup, EuiFlexItem } from '@elastic/eui'; +import React from 'react'; +import { esFilters, IIndexPattern, Query } from 'src/plugins/data/public'; +import styled from 'styled-components'; + +import { OverviewHost } from '../../../components/page/overview/overview_host'; +import { OverviewNetwork } from '../../../components/page/overview/overview_network'; +import { useKibana } from '../../../lib/kibana'; +import { convertToBuildEsQuery } from '../../../lib/keury'; +import { esQuery } from '../../../../../../../../src/plugins/data/public'; +import { inputsModel } from '../../../store'; + +const HorizontalSpacer = styled(EuiFlexItem)` + width: 24px; +`; + +const NO_FILTERS: esFilters.Filter[] = []; +const DEFAULT_QUERY: Query = { query: '', language: 'kuery' }; + +interface Props { + filters?: esFilters.Filter[]; + from: number; + indexPattern: IIndexPattern; + query?: Query; + setQuery: (params: { + id: string; + inspect: inputsModel.InspectQuery | null; + loading: boolean; + refetch: inputsModel.Refetch; + }) => void; + to: number; +} + +export const EventCounts = React.memo( + ({ filters = NO_FILTERS, from, indexPattern, query = DEFAULT_QUERY, setQuery, to }) => { + const kibana = useKibana(); + + return ( + + + + + + + + + + + + ); + } +); + +EventCounts.displayName = 'EventCounts'; diff --git a/x-pack/legacy/plugins/siem/public/pages/overview/events_by_dataset/index.tsx b/x-pack/legacy/plugins/siem/public/pages/overview/events_by_dataset/index.tsx new file mode 100644 index 00000000000000..b4f945c802e56c --- /dev/null +++ b/x-pack/legacy/plugins/siem/public/pages/overview/events_by_dataset/index.tsx @@ -0,0 +1,127 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { EuiButton } from '@elastic/eui'; +import numeral from '@elastic/numeral'; +import React, { useCallback, useMemo } from 'react'; +import { esFilters, IIndexPattern, Query } from 'src/plugins/data/public'; +import styled from 'styled-components'; + +import { + ERROR_FETCHING_EVENTS_DATA, + SHOWING, + UNIT, +} from '../../../components/events_viewer/translations'; +import { convertToBuildEsQuery } from '../../../lib/keury'; +import { SetAbsoluteRangeDatePicker } from '../../network/types'; +import { getTabsOnHostsUrl } from '../../../components/link_to/redirect_to_hosts'; +import { MatrixHistogramContainer } from '../../../containers/matrix_histogram'; +import { MatrixHistogramGqlQuery } from '../../../containers/matrix_histogram/index.gql_query'; +import { MatrixHistogramOption } from '../../../components/matrix_histogram/types'; +import { eventsStackByOptions } from '../../hosts/navigation'; +import { useKibana, useUiSetting$ } from '../../../lib/kibana'; +import { esQuery } from '../../../../../../../../src/plugins/data/public'; +import { inputsModel } from '../../../store'; +import { HostsTableType, HostsType } from '../../../store/hosts/model'; +import { DEFAULT_NUMBER_FORMAT } from '../../../../common/constants'; + +import * as i18n from '../translations'; + +const NO_FILTERS: esFilters.Filter[] = []; +const DEFAULT_QUERY: Query = { query: '', language: 'kuery' }; + +const ID = 'eventsByDatasetOverview'; + +interface Props { + deleteQuery?: ({ id }: { id: string }) => void; + filters?: esFilters.Filter[]; + from: number; + indexPattern: IIndexPattern; + query?: Query; + setAbsoluteRangeDatePicker: SetAbsoluteRangeDatePicker; + setQuery: (params: { + id: string; + inspect: inputsModel.InspectQuery | null; + loading: boolean; + refetch: inputsModel.Refetch; + }) => void; + to: number; +} + +const ViewEventsButton = styled(EuiButton)` + margin-left: 8px; +`; + +export const EventsByDataset = React.memo( + ({ + deleteQuery, + filters = NO_FILTERS, + from, + indexPattern, + query = DEFAULT_QUERY, + setAbsoluteRangeDatePicker, + setQuery, + to, + }) => { + const kibana = useKibana(); + const [defaultNumberFormat] = useUiSetting$(DEFAULT_NUMBER_FORMAT); + const updateDateRangeCallback = useCallback( + (min: number, max: number) => { + setAbsoluteRangeDatePicker!({ id: 'global', from: min, to: max }); + }, + [setAbsoluteRangeDatePicker] + ); + const eventsCountViewEventsButton = useMemo( + () => ( + + {i18n.VIEW_EVENTS} + + ), + [] + ); + + const getTitle = useCallback( + (option: MatrixHistogramOption) => i18n.EVENTS_COUNT_BY(option.text), + [] + ); + const getSubtitle = useCallback( + (totalCount: number) => + `${SHOWING}: ${numeral(totalCount).format(defaultNumberFormat)} ${UNIT(totalCount)}`, + [] + ); + + return ( + + ); + } +); + +EventsByDataset.displayName = 'EventsByDataset'; diff --git a/x-pack/legacy/plugins/siem/public/pages/overview/index.tsx b/x-pack/legacy/plugins/siem/public/pages/overview/index.tsx index e0af54acde3105..65b401f00a86e0 100644 --- a/x-pack/legacy/plugins/siem/public/pages/overview/index.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/overview/index.tsx @@ -6,8 +6,8 @@ import React, { memo } from 'react'; -import { OverviewComponent } from './overview'; +import { StatefulOverview } from './overview'; -export const Overview = memo(() => ); +export const Overview = memo(() => ); Overview.displayName = 'Overview'; diff --git a/x-pack/legacy/plugins/siem/public/pages/overview/overview.test.tsx b/x-pack/legacy/plugins/siem/public/pages/overview/overview.test.tsx index eff61bf6a9710a..be43ae8f5ed64b 100644 --- a/x-pack/legacy/plugins/siem/public/pages/overview/overview.test.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/overview/overview.test.tsx @@ -10,10 +10,35 @@ import React from 'react'; import { MockedProvider } from 'react-apollo/test-utils'; import { MemoryRouter } from 'react-router-dom'; +import '../../mock/match_media'; import { TestProviders } from '../../mock'; import { mocksSource } from '../../containers/source/mock'; import { Overview } from './index'; +jest.mock('ui/chrome', () => ({ + getBasePath: () => { + return ''; + }, + getKibanaVersion: () => { + return 'v8.0.0'; + }, + breadcrumbs: { + set: jest.fn(), + }, + getUiSettingsClient: () => ({ + get: jest.fn(), + }), +})); + +// Test will fail because we will to need to mock some core services to make the test work +// For now let's forget about SiemSearchBar and QueryBar +jest.mock('../../components/search_bar', () => ({ + SiemSearchBar: () => null, +})); +jest.mock('../../components/query_bar', () => ({ + QueryBar: () => null, +})); + let localSource: Array<{ request: {}; result: { diff --git a/x-pack/legacy/plugins/siem/public/pages/overview/overview.tsx b/x-pack/legacy/plugins/siem/public/pages/overview/overview.tsx index a0e94431054cca..572a19ca67b8a8 100644 --- a/x-pack/legacy/plugins/siem/public/pages/overview/overview.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/overview/overview.tsx @@ -4,76 +4,146 @@ * you may not use this file except in compliance with the Elastic License. */ -import { EuiFlexGroup } from '@elastic/eui'; -import moment from 'moment'; +import { EuiFlexGroup, EuiFlexItem, EuiSpacer } from '@elastic/eui'; import React from 'react'; -import chrome from 'ui/chrome'; +import { connect } from 'react-redux'; +import { StickyContainer } from 'react-sticky'; +import { compose } from 'redux'; +import { Query, esFilters } from 'src/plugins/data/public'; +import styled from 'styled-components'; -import { useKibana } from '../../lib/kibana'; -import { EmptyPage } from '../../components/empty_page'; +import { AlertsByCategory } from './alerts_by_category'; +import { FiltersGlobal } from '../../components/filters_global'; import { HeaderPage } from '../../components/header_page'; -import { OverviewHost } from '../../components/page/overview/overview_host'; -import { OverviewNetwork } from '../../components/page/overview/overview_network'; +import { SiemSearchBar } from '../../components/search_bar'; import { WrapperPage } from '../../components/wrapper_page'; import { GlobalTime } from '../../containers/global_time'; import { WithSource, indicesExistOrDataTemporarilyUnavailable } from '../../containers/source'; +import { EventsByDataset } from './events_by_dataset'; +import { EventCounts } from './event_counts'; +import { SetAbsoluteRangeDatePicker } from '../network/types'; +import { OverviewEmpty } from './overview_empty'; +import { StatefulSidebar } from './sidebar'; +import { SignalsByCategory } from './signals_by_category'; +import { inputsSelectors, State } from '../../store'; +import { setAbsoluteRangeDatePicker as dispatchSetAbsoluteRangeDatePicker } from '../../store/inputs/actions'; import { SpyRoute } from '../../utils/route/spy_routes'; -import { Summary } from './summary'; + import * as i18n from './translations'; -const basePath = chrome.getBasePath(); +const DEFAULT_QUERY: Query = { query: '', language: 'kuery' }; +const NO_FILTERS: esFilters.Filter[] = []; +const SidebarFlexItem = styled(EuiFlexItem)` + margin-right: 24px; +`; -export const OverviewComponent = React.memo(() => { - const docLinks = useKibana().services.docLinks; - const dateEnd = Date.now(); - const dateRange = moment.duration(24, 'hours').asMilliseconds(); - const dateStart = dateEnd - dateRange; +interface OverviewComponentReduxProps { + query?: Query; + filters?: esFilters.Filter[]; + setAbsoluteRangeDatePicker?: SetAbsoluteRangeDatePicker; +} - return ( +const OverviewComponent = React.memo( + ({ filters = NO_FILTERS, query = DEFAULT_QUERY, setAbsoluteRangeDatePicker }) => ( <> - - - - - {({ indicesExist }) => - indicesExistOrDataTemporarilyUnavailable(indicesExist) ? ( - - {({ setQuery }) => ( - - - - - - )} - - ) : ( - - ) - } - - + + {({ indicesExist, indexPattern }) => + indicesExistOrDataTemporarilyUnavailable(indicesExist) ? ( + + + + + + + + + + + + + + + + {({ from, deleteQuery, setQuery, to }) => ( + <> + + + + + + + + + + + + + + + )} + + + + + + ) : ( + + ) + } + - ); -}); + ) +); + OverviewComponent.displayName = 'OverviewComponent'; + +const makeMapStateToProps = () => { + const getGlobalFiltersQuerySelector = inputsSelectors.globalFiltersQuerySelector(); + const getGlobalQuerySelector = inputsSelectors.globalQuerySelector(); + + const mapStateToProps = (state: State): OverviewComponentReduxProps => ({ + query: getGlobalQuerySelector(state), + filters: getGlobalFiltersQuerySelector(state), + }); + + return mapStateToProps; +}; + +export const StatefulOverview = compose>( + connect(makeMapStateToProps, { setAbsoluteRangeDatePicker: dispatchSetAbsoluteRangeDatePicker }) +)(OverviewComponent); diff --git a/x-pack/legacy/plugins/siem/public/pages/overview/overview_empty/index.tsx b/x-pack/legacy/plugins/siem/public/pages/overview/overview_empty/index.tsx new file mode 100644 index 00000000000000..43883515574acc --- /dev/null +++ b/x-pack/legacy/plugins/siem/public/pages/overview/overview_empty/index.tsx @@ -0,0 +1,35 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import React from 'react'; +import chrome from 'ui/chrome'; + +import * as i18nCommon from '../../common/translations'; +import { EmptyPage } from '../../../components/empty_page'; +import { useKibana } from '../../../lib/kibana'; + +const basePath = chrome.getBasePath(); + +export const OverviewEmpty = React.memo(() => { + const docLinks = useKibana().services.docLinks; + + return ( + + ); +}); + +OverviewEmpty.displayName = 'OverviewEmpty'; diff --git a/x-pack/legacy/plugins/siem/public/pages/overview/sidebar/index.tsx b/x-pack/legacy/plugins/siem/public/pages/overview/sidebar/index.tsx new file mode 100644 index 00000000000000..ad2821edde411c --- /dev/null +++ b/x-pack/legacy/plugins/siem/public/pages/overview/sidebar/index.tsx @@ -0,0 +1,18 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import React, { useState } from 'react'; + +import { FilterMode } from '../../../components/recent_timelines/types'; +import { Sidebar } from './sidebar'; + +export const StatefulSidebar = React.memo(() => { + const [filterBy, setFilterBy] = useState('favorites'); + + return ; +}); + +StatefulSidebar.displayName = 'StatefulSidebar'; diff --git a/x-pack/legacy/plugins/siem/public/pages/overview/sidebar/sidebar.tsx b/x-pack/legacy/plugins/siem/public/pages/overview/sidebar/sidebar.tsx new file mode 100644 index 00000000000000..d3b85afe62a2a1 --- /dev/null +++ b/x-pack/legacy/plugins/siem/public/pages/overview/sidebar/sidebar.tsx @@ -0,0 +1,56 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { EuiFlexGroup, EuiFlexItem, EuiSpacer } from '@elastic/eui'; +import React, { useMemo } from 'react'; +import styled from 'styled-components'; + +import { Filters } from '../../../components/recent_timelines/filters'; +import { ENABLE_NEWS_FEED_SETTING, NEWS_FEED_URL_SETTING } from '../../../../common/constants'; +import { StatefulRecentTimelines } from '../../../components/recent_timelines'; +import { StatefulNewsFeed } from '../../../components/news_feed'; +import { FilterMode } from '../../../components/recent_timelines/types'; +import { SidebarHeader } from '../../../components/sidebar_header'; +import { useApolloClient } from '../../../utils/apollo_context'; + +import * as i18n from '../translations'; + +const SidebarFlexGroup = styled(EuiFlexGroup)` + width: 305px; +`; + +export const Sidebar = React.memo<{ + filterBy: FilterMode; + setFilterBy: (filterBy: FilterMode) => void; +}>(({ filterBy, setFilterBy }) => { + const apolloClient = useApolloClient(); + const RecentTimelinesFilters = useMemo( + () => , + [filterBy, setFilterBy] + ); + + return ( + + + {RecentTimelinesFilters} + + + + + + + + + + + + ); +}); + +Sidebar.displayName = 'Sidebar'; diff --git a/x-pack/legacy/plugins/siem/public/pages/overview/signals_by_category/index.tsx b/x-pack/legacy/plugins/siem/public/pages/overview/signals_by_category/index.tsx new file mode 100644 index 00000000000000..ce6e6ccf4e9e30 --- /dev/null +++ b/x-pack/legacy/plugins/siem/public/pages/overview/signals_by_category/index.tsx @@ -0,0 +1,63 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import React, { useCallback } from 'react'; +import { esFilters, IIndexPattern, Query } from 'src/plugins/data/public'; + +import { SignalsHistogramPanel } from '../../detection_engine/components/signals_histogram_panel'; +import { SetAbsoluteRangeDatePicker } from '../../network/types'; +import { inputsModel } from '../../../store'; + +import * as i18n from '../translations'; + +const NO_FILTERS: esFilters.Filter[] = []; +const DEFAULT_QUERY: Query = { query: '', language: 'kuery' }; + +interface Props { + filters?: esFilters.Filter[]; + from: number; + indexPattern: IIndexPattern; + query?: Query; + setAbsoluteRangeDatePicker: SetAbsoluteRangeDatePicker; + setQuery: (params: { + id: string; + inspect: inputsModel.InspectQuery | null; + loading: boolean; + refetch: inputsModel.Refetch; + }) => void; + to: number; +} + +export const SignalsByCategory = React.memo( + ({ filters = NO_FILTERS, from, query = DEFAULT_QUERY, setAbsoluteRangeDatePicker, to }) => { + const updateDateRangeCallback = useCallback( + (min: number, max: number) => { + setAbsoluteRangeDatePicker!({ id: 'global', from: min, to: max }); + }, + [setAbsoluteRangeDatePicker] + ); + + return ( + + ); + } +); + +SignalsByCategory.displayName = 'SignalsByCategory'; diff --git a/x-pack/legacy/plugins/siem/public/pages/overview/summary.tsx b/x-pack/legacy/plugins/siem/public/pages/overview/summary.tsx index 51cfcbe9374ab9..da16cb28c61711 100644 --- a/x-pack/legacy/plugins/siem/public/pages/overview/summary.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/overview/summary.tsx @@ -29,7 +29,7 @@ export const Summary = React.memo(() => { defaultMessage="Welcome to Security Information & Event Management (SIEM). Get started by reviewing our {docs} or {data}. For information about upcoming features and tutorials, be sure to check out our {siemSolution} page." values={{ docs: ( - + + i18n.translate('xpack.siem.overview.alertsCountByTitle', { + values: { groupByField }, + defaultMessage: 'Alerts count by {groupByField}', + }); + +export const EVENTS_COUNT_BY = (groupByField: string) => + i18n.translate('xpack.siem.overview.eventsCountByTitle', { + values: { groupByField }, + defaultMessage: 'Events count by {groupByField}', + }); + +export const NEWS_FEED_TITLE = i18n.translate('xpack.siem.overview.newsFeedSidebarTitle', { + defaultMessage: 'Security news', +}); + export const PAGE_TITLE = i18n.translate('xpack.siem.overview.pageTitle', { defaultMessage: 'SIEM', }); @@ -23,14 +39,18 @@ export const PAGE_BADGE_TOOLTIP = i18n.translate('xpack.siem.overview.pageBadgeT 'SIEM is still in beta. Please help us improve by reporting issues or bugs in the Kibana repo.', }); -export const EMPTY_TITLE = i18n.translate('xpack.siem.overview.emptyTitle', { - defaultMessage: 'It looks like you don’t have any indices relevant to the SIEM application', +export const RECENT_TIMELINES = i18n.translate('xpack.siem.overview.recentTimelinesSidebarTitle', { + defaultMessage: 'Recent timelines', +}); + +export const SIGNALS_BY_CATEGORY = i18n.translate('xpack.siem.overview.signalsByCategoryTitle', { + defaultMessage: 'Signals count by MITRE ATT&CK\\u2122 category', }); -export const EMPTY_ACTION_PRIMARY = i18n.translate('xpack.siem.overview.emptyActionPrimary', { - defaultMessage: 'View setup instructions', +export const VIEW_ALERTS = i18n.translate('xpack.siem.overview.viewAlertsButtonLabel', { + defaultMessage: 'View alerts', }); -export const EMPTY_ACTION_SECONDARY = i18n.translate('xpack.siem.overview.emptyActionSecondary', { - defaultMessage: 'Go to documentation', +export const VIEW_EVENTS = i18n.translate('xpack.siem.overview.viewEventsButtonLabel', { + defaultMessage: 'View events', }); diff --git a/x-pack/plugins/translations/translations/ja-JP.json b/x-pack/plugins/translations/translations/ja-JP.json index 7796c33b5388bf..8ec3d605f4fbaa 100644 --- a/x-pack/plugins/translations/translations/ja-JP.json +++ b/x-pack/plugins/translations/translations/ja-JP.json @@ -11158,9 +11158,6 @@ "xpack.siem.host.details.overview.platformTitle": "プラットフォーム", "xpack.siem.host.details.overview.regionTitle": "地域", "xpack.siem.host.details.versionLabel": "バージョン", - "xpack.siem.hosts.emptyActionPrimary": "セットアップの手順を表示", - "xpack.siem.hosts.emptyActionSecondary": "ドキュメントに移動", - "xpack.siem.hosts.emptyTitle": "SIEM アプリケーションのホストに関連したインデックスがないようです", "xpack.siem.hosts.kqlPlaceholder": "例: host.name: \"foo\"", "xpack.siem.hosts.navigation.allHostsTitle": "すべてのホスト", "xpack.siem.hosts.navigation.anomaliesTitle": "異常", @@ -11238,9 +11235,6 @@ "xpack.siem.navigation.network": "ネットワーク", "xpack.siem.navigation.overview": "概要", "xpack.siem.navigation.timelines": "タイムライン", - "xpack.siem.network.emptyActionPrimary": "セットアップの手順を表示", - "xpack.siem.network.emptyActionSecondary": "ドキュメントに移動", - "xpack.siem.network.emptyTitle": "SIEM アプリケーションのネットワークに関連したインデックスがないようです", "xpack.siem.network.ipDetails.ipOverview.asDestinationDropDownOptionLabel": "送信先として", "xpack.siem.network.ipDetails.ipOverview.asSourceDropDownOptionLabel": "送信元として", "xpack.siem.network.ipDetails.ipOverview.autonomousSystemTitle": "自動システム", @@ -11352,9 +11346,6 @@ "xpack.siem.overview.auditBeatProcessTitle": "Auditbeatプロセス", "xpack.siem.overview.auditBeatSocketTitle": "Auditbeatソケット", "xpack.siem.overview.auditBeatUserTitle": "Auditbeatユーザー", - "xpack.siem.overview.emptyActionPrimary": "セットアップの手順を表示", - "xpack.siem.overview.emptyActionSecondary": "ドキュメントに移動", - "xpack.siem.overview.emptyTitle": "SIEM アプリケーションに関連したインデックスがないようです", "xpack.siem.overview.endgameDnsTitle": "Endgame DNS", "xpack.siem.overview.endgameFileTitle": "Endgame ファイル", "xpack.siem.overview.endgameImageLoadTitle": "Endgame 画像の読み込み", @@ -11372,10 +11363,8 @@ "xpack.siem.overview.filebeatSystemModuleTitle": "Filebeat システムモジュール", "xpack.siem.overview.fileBeatZeekTitle": "Filebeat Zeek", "xpack.siem.overview.hostsAction": "ホストを表示", - "xpack.siem.overview.hostsSubtitle": "表示中:過去 24 時間", "xpack.siem.overview.hostsTitle": "ホストイベント", "xpack.siem.overview.networkAction": "ネットワークを表示", - "xpack.siem.overview.networkSubtitle": "表示中:過去 24 時間", "xpack.siem.overview.networkTitle": "ネットワークイベント", "xpack.siem.overview.packetBeatDnsTitle": "Packetbeat DNS", "xpack.siem.overview.packetBeatFlowTitle": "Packetbeatフロー", diff --git a/x-pack/plugins/translations/translations/zh-CN.json b/x-pack/plugins/translations/translations/zh-CN.json index c89159568ada65..f20de892f6d0d1 100644 --- a/x-pack/plugins/translations/translations/zh-CN.json +++ b/x-pack/plugins/translations/translations/zh-CN.json @@ -11157,9 +11157,6 @@ "xpack.siem.host.details.overview.platformTitle": "平台", "xpack.siem.host.details.overview.regionTitle": "地区", "xpack.siem.host.details.versionLabel": "版本", - "xpack.siem.hosts.emptyActionPrimary": "查看设置说明", - "xpack.siem.hosts.emptyActionSecondary": "前往文档", - "xpack.siem.hosts.emptyTitle": "似乎您在 SIEM 应用程序中没有与主机相关的索引", "xpack.siem.hosts.kqlPlaceholder": "例如 host.name:“foo”", "xpack.siem.hosts.navigation.allHostsTitle": "所有主机", "xpack.siem.hosts.navigation.anomaliesTitle": "异常", @@ -11237,9 +11234,6 @@ "xpack.siem.navigation.network": "网络", "xpack.siem.navigation.overview": "概览", "xpack.siem.navigation.timelines": "时间线", - "xpack.siem.network.emptyActionPrimary": "查看设置说明", - "xpack.siem.network.emptyActionSecondary": "前往文档", - "xpack.siem.network.emptyTitle": "似乎您在 SIEM 应用程序中没有与网络相关的索引", "xpack.siem.network.ipDetails.ipOverview.asDestinationDropDownOptionLabel": "作为目标", "xpack.siem.network.ipDetails.ipOverview.asSourceDropDownOptionLabel": "作为源", "xpack.siem.network.ipDetails.ipOverview.autonomousSystemTitle": "自治系统", @@ -11351,9 +11345,6 @@ "xpack.siem.overview.auditBeatProcessTitle": "Auditbeat 进程", "xpack.siem.overview.auditBeatSocketTitle": "Auditbeat 套接字", "xpack.siem.overview.auditBeatUserTitle": "Auditbeat 用户", - "xpack.siem.overview.emptyActionPrimary": "查看设置说明", - "xpack.siem.overview.emptyActionSecondary": "前往文档", - "xpack.siem.overview.emptyTitle": "似乎您没有与 SIEM 应用程序相关的索引", "xpack.siem.overview.endgameDnsTitle": "Endgame DNS", "xpack.siem.overview.endgameFileTitle": "Endgame 文件", "xpack.siem.overview.endgameImageLoadTitle": "Endgame 图像加载", @@ -11371,10 +11362,8 @@ "xpack.siem.overview.filebeatSystemModuleTitle": "Filebeat 系统模块", "xpack.siem.overview.fileBeatZeekTitle": "Filebeat Zeek", "xpack.siem.overview.hostsAction": "查看主机", - "xpack.siem.overview.hostsSubtitle": "显示:过去 24 小时", "xpack.siem.overview.hostsTitle": "主机事件", "xpack.siem.overview.networkAction": "查看网络", - "xpack.siem.overview.networkSubtitle": "显示:过去 24 小时", "xpack.siem.overview.networkTitle": "网络事件", "xpack.siem.overview.packetBeatDnsTitle": "Packetbeat DNS", "xpack.siem.overview.packetBeatFlowTitle": "Packetbeat 流", From d3a3cefc73bba87fed0ab55a76e78c6ca76c538a Mon Sep 17 00:00:00 2001 From: Patrick Mueller Date: Tue, 14 Jan 2020 23:47:55 -0500 Subject: [PATCH 03/10] add readme note about alerting / manage_api_key cluster privilege (#54639) partially resolves https://github.com/elastic/kibana/issues/54525 --- x-pack/legacy/plugins/alerting/README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/x-pack/legacy/plugins/alerting/README.md b/x-pack/legacy/plugins/alerting/README.md index 30d34bd3b436d6..d5e9dcb76caa4a 100644 --- a/x-pack/legacy/plugins/alerting/README.md +++ b/x-pack/legacy/plugins/alerting/README.md @@ -32,6 +32,14 @@ When security is enabled, an SSL connection to Elasticsearch is required in orde When security is enabled, users who create alerts will need the `manage_api_key` cluster privilege. There is currently work in progress to remove this requirement. +Note that the `manage_own_api_key` cluster privilege is not enough - it can be used to create API keys, but not invalidate them, and the alerting plugin currently both creates and invalidates APIs keys as part of it's processing. When using only the `manage_own_api_key` privilege, you will see the following message logged in the server when the alerting plugin attempts to invalidate an API key: + +``` +[error][alerting][plugins] Failed to invalidate API Key: [security_exception] \ + action [cluster:admin/xpack/security/api_key/invalidate] \ + is unauthorized for user [user-name-here] +``` + ## Alert types ### Methods From 94a409964bdce56222a190facc6c056fc4125615 Mon Sep 17 00:00:00 2001 From: spalger Date: Tue, 14 Jan 2020 23:26:20 -0700 Subject: [PATCH 04/10] update invalid snapshot --- .../__snapshots__/dynamic_color_property.test.js.snap | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/legacy/plugins/maps/public/layers/styles/vector/properties/__snapshots__/dynamic_color_property.test.js.snap b/x-pack/legacy/plugins/maps/public/layers/styles/vector/properties/__snapshots__/dynamic_color_property.test.js.snap index 3b3cade87a4ad7..97acffae15a850 100644 --- a/x-pack/legacy/plugins/maps/public/layers/styles/vector/properties/__snapshots__/dynamic_color_property.test.js.snap +++ b/x-pack/legacy/plugins/maps/public/layers/styles/vector/properties/__snapshots__/dynamic_color_property.test.js.snap @@ -30,7 +30,7 @@ exports[`Should render categorical legend with breaks from default 1`] = ` fillColor="none" isLinesOnly={false} isPointsOnly={true} - strokeColor="#5BBAA0" + strokeColor="#54B399" /> From 9c43e3ad93abeb770ac981636fd990ad46f596e6 Mon Sep 17 00:00:00 2001 From: Frank Hassanabad Date: Wed, 15 Jan 2020 00:55:55 -0700 Subject: [PATCH 05/10] [SIEM][Detection Engine] Order JSON keys, fix scripts, update pre-packaged rules ## Summary * Updates pre-packaged rules * Adds rule_id duplicate check into the linter * Updates the scripts for converting saved objects to rules * Adds a script for re-generating the `index.ts` for the rules ### Checklist Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR. ~~- [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~~ ~~- [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)~~ ~~- [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~~ - [x] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios ~~- [ ] This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~~ ### For maintainers ~~- [ ] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~ - [x] This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process) --- .../scripts/convert_saved_search_to_rules.js | 58 +- .../rules/get_prepackaged_rules.test.ts | 23 +- .../rules/get_prepackaged_rules.ts | 8 +- .../403_response_to_a_post.json | 17 + .../405_response_method_not_allowed.json | 17 + .../500_response_on_admin_page.json | 17 + ...nd_shell_started_by_internet_explorer.json | 60 +- .../command_shell_started_by_powershell.json | 60 +- .../command_shell_started_by_svchost.json | 60 +- ...rk_detect_large_outbound_icmp_packets.json | 17 + ...k_detect_long_dns_txt_record_response.json | 17 + ...s_passing_authentication_in_cleartext.json | 17 + ...windows_child_processes_of_spoolsvexe.json | 17 + ...indows_detect_new_local_admin_account.json | 17 + ...ws_detect_psexec_with_accepteula_flag.json | 17 + ..._cmdexe_to_launch_script_interpreters.json | 17 + .../ece_windows_new_external_device.json | 17 + ...ce_windows_processes_created_by_netsh.json | 17 + ...ece_windows_processes_launching_netsh.json | 17 + ...ece_windows_windows_event_log_cleared.json | 17 + ...den_file_attribute_with_via_attribexe.json | 16 +- .../eql_adobe_hijack_persistence.json | 16 +- .../eql_audio_capture_via_powershell.json | 16 +- .../eql_audio_capture_via_soundrecorder.json | 16 +- .../eql_bypass_uac_event_viewer.json | 16 +- .../eql_bypass_uac_via_cmstp.json | 16 +- .../eql_bypass_uac_via_sdclt.json | 16 +- .../eql_clearing_windows_event_logs.json | 16 +- ...delete_volume_usn_journal_with_fsutil.json | 16 +- ...deleting_backup_catalogs_with_wbadmin.json | 16 +- .../eql_direct_outbound_smb_connection.json | 16 +- ...ble_windows_firewall_rules_with_netsh.json | 16 +- .../eql_dll_search_order_hijack.json | 16 +- ...coding_or_decoding_files_via_certutil.json | 16 +- .../eql_local_scheduled_task_commands.json | 16 +- .../eql_local_service_commands.json | 16 +- ...ql_modification_of_boot_configuration.json | 16 +- ...ql_msbuild_making_network_connections.json | 16 +- .../eql_mshta_making_network_connections.json | 16 +- .../eql_msxsl_making_network_connections.json | 16 +- .../eql_psexec_lateral_movement_command.json | 16 +- ...ql_suspicious_ms_office_child_process.json | 16 +- ...l_suspicious_ms_outlook_child_process.json | 16 +- ...l_suspicious_pdf_reader_child_process.json | 16 +- .../eql_system_shells_via_services.json | 16 +- ...usual_network_connection_via_rundll32.json | 16 +- .../eql_unusual_parentchild_relationship.json | 16 +- ...ql_unusual_process_network_connection.json | 16 +- .../eql_user_account_creation.json | 16 +- ...eql_user_added_to_administrator_group.json | 16 +- ...ume_shadow_copy_deletion_via_vssadmin.json | 16 +- ..._volume_shadow_copy_deletion_via_wmic.json | 16 +- ...l_windows_script_executing_powershell.json | 16 +- .../eql_wmic_command_lateral_movement.json | 16 +- .../rules/prepackaged_rules/index.ts | 681 +++++++++++------- .../linux_hping_activity.json | 66 +- .../linux_iodine_activity.json | 66 +- ...va_process_connecting_to_the_internet.json | 96 +-- .../linux_kernel_module_activity.json | 66 +- .../linux_ldso_process_activity.json | 16 +- .../linux_lzop_activity.json | 17 + ..._lzop_activity_possible_julianrunnels.json | 16 +- .../linux_mknod_activity.json | 66 +- .../linux_netcat_network_connection.json | 93 +-- ...k_anomalous_process_using_https_ports.json | 16 +- .../linux_nmap_activity.json | 66 +- .../linux_nping_activity.json | 66 +- ...nux_process_started_in_temp_directory.json | 66 +- .../linux_ptrace_activity.json | 41 +- .../linux_rawshark_activity.json | 66 +- .../linux_shell_activity_by_web_server.json | 16 +- .../linux_socat_activity.json | 16 + .../linux_ssh_forwarding.json | 19 + .../linux_strace_activity.json | 66 +- .../linux_tcpdump_activity.json | 41 +- .../linux_unusual_shell_activity.json | 78 +- .../prepackaged_rules/linux_web_download.json | 41 +- .../linux_whoami_commmand.json | 66 +- .../network_dns_directly_to_the_internet.json | 16 +- ...fer_protocol_activity_to_the_internet.json | 16 +- ...hat_protocol_activity_to_the_internet.json | 16 +- .../network_nat_traversal_port_activity.json | 16 +- .../network_port_26_activity.json | 16 +- .../network_port_8000_activity.json | 16 +- ...rk_port_8000_activity_to_the_internet.json | 16 +- ..._to_point_tunneling_protocol_activity.json | 16 +- ...k_proxy_port_activity_to_the_internet.json | 16 +- ...te_desktop_protocol_from_the_internet.json | 16 +- ...mote_desktop_protocol_to_the_internet.json | 16 +- ...mote_procedure_call_from_the_internet.json | 16 +- ...remote_procedure_call_to_the_internet.json | 16 +- ...file_sharing_activity_to_the_internet.json | 16 +- .../network_smtp_to_the_internet.json | 16 +- ..._server_port_activity_to_the_internet.json | 16 +- ...rk_ssh_secure_shell_from_the_internet.json | 16 +- ...work_ssh_secure_shell_to_the_internet.json | 16 +- .../network_telnet_port_activity.json | 16 +- .../network_tor_activity_to_the_internet.json | 16 +- ...l_network_computing_from_the_internet.json | 16 +- ...ual_network_computing_to_the_internet.json | 16 +- .../prepackaged_rules/null_user_agent.json | 35 + .../powershell_network_connection.json | 60 +- .../process_execution_via_wmi.json | 16 +- ...ed_by_acrobat_reader_possible_payload.json | 42 +- ...by_ms_office_program_possible_payload.json | 42 +- .../process_started_by_windows_defender.json | 16 +- .../prepackaged_rules/psexec_activity.json | 16 +- .../prepackaged_rules/search_windows_10.json | 40 +- .../splunk_child_processes_of_spoolsvexe.json | 16 +- ...nk_detect_large_outbound_icmp_packets.json | 16 +- ...k_detect_long_dns_txt_record_response.json | 16 +- ...splunk_detect_new_local_admin_account.json | 16 +- ...nk_detect_psexec_with_accepteula_flag.json | 16 +- ..._cmdexe_to_launch_script_interpreters.json | 16 +- .../splunk_processes_created_by_netsh.json | 16 +- .../splunk_processes_launching_netsh.json | 16 +- ...s_passing_authentication_in_cleartext.json | 16 +- .../splunk_windows_event_log_cleared.json | 16 +- .../prepackaged_rules/sqlmap_user_agent.json | 17 + ...ed_invokecommand_powershell_execution.json | 44 +- ...ncoded_newobject_powershell_execution.json | 44 +- ...ded_startprocess_powershell_execution.json | 44 +- ...gory_a_suspicious_string_was_detected.json | 16 +- ...ttempted_administrator_privilege_gain.json | 18 +- ..._category_attempted_denial_of_service.json | 18 +- ...a_category_attempted_information_leak.json | 16 +- ...empted_login_with_suspicious_username.json | 18 +- ...ategory_attempted_user_privilege_gain.json | 18 +- ...ta_category_client_using_unusual_port.json | 16 +- ...egory_crypto_currency_mining_activity.json | 16 +- ...icata_category_decode_of_an_rpc_query.json | 16 +- ...t_username_and_password_login_attempt.json | 18 +- .../suricata_category_denial_of_service.json | 18 +- ...ata_category_denial_of_service_attack.json | 18 +- ...category_executable_code_was_detected.json | 18 +- ...uricata_category_exploit_kit_activity.json | 18 +- ...ategory_external_ip_address_retrieval.json | 18 +- .../suricata_category_generic_icmp_event.json | 16 +- ...egory_generic_protocol_command_decode.json | 16 +- .../suricata_category_information_leak.json | 18 +- ...category_large_scale_information_leak.json | 18 +- ..._malware_command_and_control_activity.json | 18 +- .../suricata_category_misc_activity.json | 16 +- .../suricata_category_misc_attack.json | 18 +- ...ricata_category_network_scan_detected.json | 16 +- ...cata_category_network_trojan_detected.json | 18 +- ...ategory_nonstandard_protocol_or_event.json | 18 +- ...icata_category_not_suspicious_traffic.json | 16 +- .../suricata_category_observed_c2_domain.json | 18 +- ...possible_social_engineering_attempted.json | 18 +- ...ta_category_possibly_unwanted_program.json | 18 +- ...potential_corporate_privacy_violation.json | 18 +- ...cata_category_potentially_bad_traffic.json | 18 +- ...lly_vulnerable_web_application_access.json | 18 +- ...ccessful_administrator_privilege_gain.json | 18 +- ..._category_successful_credential_theft.json | 18 +- ...tegory_successful_user_privilege_gain.json | 18 +- ...category_suspicious_filename_detected.json | 18 +- ...uricata_category_system_call_detected.json | 18 +- ..._category_targeted_malicious_activity.json | 18 +- ...cata_category_tcp_connection_detected.json | 16 +- .../suricata_category_unknown_traffic.json | 16 +- ...gory_unsuccessful_user_privilege_gain.json | 18 +- ...icata_category_web_application_attack.json | 18 +- ...baltstrike_artifact_in_an_dns_request.json | 18 +- ...a_commonly_abused_dns_domain_detected.json | 16 +- ...eversal_characters_in_an_http_request.json | 16 +- ...aversal_characters_in_an_http_request.json | 38 + ...traversal_characters_in_http_response.json | 39 +- ...tory_traversal_in_downloaded_zip_file.json | 39 +- ...icata_dns_traffic_on_unusual_tcp_port.json | 41 +- ...icata_dns_traffic_on_unusual_udp_port.json | 16 +- ...ta_double_encoded_characters_in_a_uri.json | 16 +- ...le_encoded_characters_in_an_http_post.json | 16 +- ...le_encoded_characters_in_http_request.json | 38 + ..._eval_php_function_in_an_http_request.json | 16 +- .../suricata_exploit_cve_2018_1000861.json | 35 + .../suricata_exploit_cve_2019_0227.json | 35 + .../suricata_exploit_cve_2019_0232.json | 35 + .../suricata_exploit_cve_2019_0604.json | 35 + .../suricata_exploit_cve_2019_0708.json | 35 + .../suricata_exploit_cve_2019_0752.json | 35 + .../suricata_exploit_cve_2019_1003000.json | 35 + .../suricata_exploit_cve_2019_10149.json | 35 + .../suricata_exploit_cve_2019_11043.json | 35 + .../suricata_exploit_cve_2019_11510.json | 35 + .../suricata_exploit_cve_2019_11580.json | 35 + .../suricata_exploit_cve_2019_11581.json | 35 + .../suricata_exploit_cve_2019_13450.json | 35 + .../suricata_exploit_cve_2019_13505.json | 35 + .../suricata_exploit_cve_2019_15107.json | 35 + .../suricata_exploit_cve_2019_15846.json | 35 + .../suricata_exploit_cve_2019_16072.json | 35 + .../suricata_exploit_cve_2019_1652.json | 35 + .../suricata_exploit_cve_2019_16662.json | 35 + .../suricata_exploit_cve_2019_16759.json | 35 + .../suricata_exploit_cve_2019_16928.json | 35 + .../suricata_exploit_cve_2019_17270.json | 35 + .../suricata_exploit_cve_2019_1821.json | 35 + .../suricata_exploit_cve_2019_19781.json | 35 + .../suricata_exploit_cve_2019_2618.json | 35 + .../suricata_exploit_cve_2019_2725.json | 35 + .../suricata_exploit_cve_2019_3396.json | 35 + .../suricata_exploit_cve_2019_3929.json | 35 + .../suricata_exploit_cve_2019_5533.json | 35 + .../suricata_exploit_cve_2019_6340.json | 35 + .../suricata_exploit_cve_2019_7256.json | 35 + .../suricata_exploit_cve_2019_9978.json | 35 + ..._on_unusual_port_internet_destination.json | 16 +- ..._on_unusual_port_internet_destination.json | 16 +- ..._on_unusual_port_internet_destination.json | 16 +- ...cata_lazagne_artifact_in_an_http_post.json | 16 +- ...ta_mimikatz_artifacts_in_an_http_post.json | 16 +- ...katz_string_detected_in_http_response.json | 16 +- ...uricata_nondns_traffic_on_tcp_port_53.json | 16 +- ...uricata_nondns_traffic_on_udp_port_53.json | 16 +- .../suricata_nonftp_traffic_on_port_21.json | 16 +- ...ricata_nonhttp_traffic_on_tcp_port_80.json | 16 +- ...ata_nonimap_traffic_on_port_1443_imap.json | 16 +- ...ta_nonsmb_traffic_on_tcp_port_139_smb.json | 16 +- .../suricata_nonssh_traffic_on_port_22.json | 16 +- .../suricata_nontls_on_tls_port.json | 16 +- ...alt_strike_malleable_c2_null_response.json | 16 +- ...ion_sql_commands_in_http_transactions.json | 16 +- .../suricata_rpc_traffic_on_http_ports.json | 16 +- .../suricata_serialized_php_detected.json | 16 +- ...ell_exec_php_function_in_an_http_post.json | 16 +- ...c_not_on_port_22_internet_destination.json | 16 +- ..._on_unusual_port_internet_destination.json | 16 +- ...executable_served_by_jpeg_web_content.json | 16 +- ...uspicious_process_started_by_a_script.json | 42 +- ...rvice_bits_connecting_to_the_internet.json | 16 +- .../windows_burp_ce_activity.json | 16 +- ...s_certutil_connecting_to_the_internet.json | 16 +- ...and_prompt_connecting_to_the_internet.json | 16 +- ...nd_shell_started_by_internet_explorer.json | 16 + ...s_command_shell_started_by_powershell.json | 16 + ...dows_command_shell_started_by_svchost.json | 16 + .../windows_credential_dumping_commands.json | 16 +- ...dows_credential_dumping_via_imageload.json | 16 +- ..._credential_dumping_via_registry_save.json | 16 +- ...ows_data_compression_using_powershell.json | 16 +- ...fense_evasion_decoding_using_certutil.json | 16 +- ...asion_or_persistence_via_hidden_files.json | 16 +- ...ws_defense_evasion_via_filter_manager.json | 16 +- ...e_evasion_via_windows_event_log_tools.json | 16 +- ...dows_execution_via_compiled_html_file.json | 16 +- ...dows_execution_via_connection_manager.json | 16 +- ...on_via_microsoft_html_application_hta.json | 16 +- ...dows_execution_via_net_com_assemblies.json | 16 +- .../windows_execution_via_regsvr32.json | 16 +- ...ution_via_trusted_developer_utilities.json | 16 +- ...le_program_connecting_to_the_internet.json | 16 +- ...dows_image_load_from_a_temp_directory.json | 40 +- .../windows_indirect_command_execution.json | 16 +- .../windows_iodine_activity.json | 16 +- ...agement_instrumentation_wmi_execution.json | 16 +- ...cation_hta_connecting_to_the_internet.json | 16 +- .../windows_mimikatz_activity.json | 41 +- ...isc_lolbin_connecting_to_the_internet.json | 16 +- ...ommand_activity_by_the_system_account.json | 51 +- .../windows_net_user_command_activity.json | 41 +- .../windows_netcat_activity.json | 41 +- .../windows_netcat_network_activity.json | 41 +- ...ous_windows_process_using_https_ports.json | 16 +- .../windows_nmap_activity.json | 41 +- .../windows_nmap_scan_activity.json | 41 +- ...dows_payload_obfuscation_via_certutil.json | 16 +- ...stence_or_priv_escalation_via_hooking.json | 16 +- ..._persistence_via_application_shimming.json | 16 +- .../windows_persistence_via_bits_jobs.json | 16 +- ..._via_modification_of_existing_service.json | 16 +- ...s_persistence_via_netshell_helper_dll.json | 16 +- ...powershell_connecting_to_the_internet.json | 16 +- ...escalation_via_accessibility_features.json | 16 +- ...rocess_discovery_via_tasklist_command.json | 16 +- .../windows_process_execution_via_wmi.json | 17 + ...ed_by_acrobat_reader_possible_payload.json | 16 + ...by_ms_office_program_possible_payload.json | 16 + ...s_process_started_by_the_java_runtime.json | 41 +- .../windows_psexec_activity.json | 17 + ...er_program_connecting_to_the_internet.json | 16 +- .../windows_registry_query_local.json | 16 +- .../windows_registry_query_network.json | 16 +- .../windows_remote_management_execution.json | 16 +- .../windows_scheduled_task_activity.json | 16 +- ...nterpreter_connecting_to_the_internet.json | 16 +- ...windows_signed_binary_proxy_execution.json | 16 +- ...igned_binary_proxy_execution_download.json | 16 +- ...uspicious_process_started_by_a_script.json | 16 + .../windows_whoami_command_activity.json | 41 +- .../windows_windump_activity.json | 17 + .../windows_wireshark_activity.json | 16 +- .../prepackaged_rules/windump_activity.json | 16 +- .../zeek_notice_capturelosstoo_much_loss.json | 16 +- .../zeek_notice_conncontent_gap.json | 16 +- ...tice_connretransmission_inconsistency.json | 16 +- .../zeek_notice_dnsexternal_name.json | 16 +- .../zeek_notice_ftpbruteforcing.json | 16 +- .../zeek_notice_ftpsite_exec_success.json | 16 +- ...notice_heartbleedssl_heartbeat_attack.json | 16 +- ...eartbleedssl_heartbeat_attack_success.json | 16 +- ...heartbleedssl_heartbeat_many_requests.json | 16 +- ...ce_heartbleedssl_heartbeat_odd_length.json | 16 +- ...eek_notice_httpsql_injection_attacker.json | 16 +- .../zeek_notice_httpsql_injection_victim.json | 16 +- .../zeek_notice_intelnotice.json | 16 +- .../zeek_notice_noticetally.json | 16 +- ...ice_packetfiltercannot_bpf_shunt_conn.json | 16 +- ...ek_notice_packetfiltercompile_failure.json | 16 +- ...ek_notice_packetfilterdropped_packets.json | 16 +- ...ek_notice_packetfilterinstall_failure.json | 16 +- ...etfilterno_more_conn_shunts_available.json | 16 +- ...acketfiltertoo_long_to_compile_filter.json | 16 +- ...notice_protocoldetectorprotocol_found.json | 16 +- ...k_notice_protocoldetectorserver_found.json | 16 +- .../zeek_notice_scanaddress_scan.json | 16 +- .../zeek_notice_scanport_scan.json | 16 +- ...zeek_notice_signaturescount_signature.json | 16 +- ...ice_signaturesmultiple_sig_responders.json | 16 +- ..._notice_signaturesmultiple_signatures.json | 16 +- ..._notice_signaturessensitive_signature.json | 16 +- ...ek_notice_signaturessignature_summary.json | 16 +- ...eek_notice_smtpblocklist_blocked_host.json | 16 +- ...ek_notice_smtpblocklist_error_message.json | 16 +- ...eek_notice_smtpsuspicious_origination.json | 16 +- ...otice_softwaresoftware_version_change.json | 16 +- ...eek_notice_softwarevulnerable_version.json | 16 +- ..._notice_sshinteresting_hostname_login.json | 16 +- ...k_notice_sshlogin_by_password_guesser.json | 16 +- .../zeek_notice_sshpassword_guessing.json | 16 +- .../zeek_notice_sshwatched_country_login.json | 16 +- .../zeek_notice_sslcertificate_expired.json | 16 +- ...ek_notice_sslcertificate_expires_soon.json | 16 +- ...k_notice_sslcertificate_not_valid_yet.json | 16 +- .../zeek_notice_sslinvalid_ocsp_response.json | 16 +- .../zeek_notice_sslinvalid_server_cert.json | 16 +- .../zeek_notice_sslold_version.json | 16 +- .../zeek_notice_sslweak_cipher.json | 16 +- .../zeek_notice_sslweak_key.json | 16 +- ...ice_teamcymrumalwarehashregistrymatch.json | 16 +- .../zeek_notice_traceroutedetected.json | 16 +- .../zeek_notice_weirdactivity.json | 16 +- .../scripts/regen_prepackge_rules_index.sh | 33 + 344 files changed, 4760 insertions(+), 3708 deletions(-) create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/500_response_on_admin_page.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_detect_large_outbound_icmp_packets.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_detect_long_dns_txt_record_response.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_protocols_passing_authentication_in_cleartext.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_child_processes_of_spoolsvexe.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_new_local_admin_account.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_psexec_with_accepteula_flag.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_use_of_cmdexe_to_launch_script_interpreters.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_new_external_device.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_processes_created_by_netsh.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_processes_launching_netsh.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_windows_event_log_cleared.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_traversal_characters_in_an_http_request.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_double_encoded_characters_in_http_request.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2018_1000861.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0227.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0232.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0604.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0708.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0752.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_1003000.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_10149.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11043.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11510.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11580.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11581.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_13450.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_13505.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_15107.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_15846.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16072.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_1652.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16662.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16759.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16928.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_17270.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_1821.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_19781.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_2618.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_2725.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_3396.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_3929.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_5533.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_6340.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_7256.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_9978.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_internet_explorer.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_execution_via_wmi.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_acrobat_reader_possible_payload.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_ms_office_program_possible_payload.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_psexec_activity.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_process_started_by_a_script.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_windump_activity.json create mode 100755 x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/regen_prepackge_rules_index.sh diff --git a/x-pack/legacy/plugins/siem/scripts/convert_saved_search_to_rules.js b/x-pack/legacy/plugins/siem/scripts/convert_saved_search_to_rules.js index 0da44eec3aaa30..4243e67ca1320c 100644 --- a/x-pack/legacy/plugins/siem/scripts/convert_saved_search_to_rules.js +++ b/x-pack/legacy/plugins/siem/scripts/convert_saved_search_to_rules.js @@ -38,17 +38,6 @@ const TO = 'now'; const IMMUTABLE = true; const RISK_SCORE = 50; const ENABLED = false; -let allRules = `/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -// Auto generated file from scripts/convert_saved_search_rules.js -// Do not hand edit. Run the script against a set of saved searches instead - -`; -const allRulesNdJson = 'index.ts'; // For converting, if you want to use these instead of rely on the defaults then // comment these in and use them for the script. Otherwise this is commented out @@ -133,22 +122,19 @@ async function main() { }, []); savedSearchesParsed.forEach( - ( - { - _file, - attributes: { - description, - title, - kibanaSavedObjectMeta: { - searchSourceJSON: { - query: { query, language }, - filter, - }, + ({ + _file, + attributes: { + description, + title, + kibanaSavedObjectMeta: { + searchSourceJSON: { + query: { query, language }, + filter, }, }, }, - index - ) => { + }) => { const fileToWrite = cleanupFileName(_file); // remove meta value from the filter @@ -157,20 +143,20 @@ async function main() { return filterValue; }); const outputMessage = { - rule_id: uuid.v4(), - risk_score: RISK_SCORE, description: description || title, + enabled: ENABLED, + filters: filterWithoutMeta, + from: FROM, immutable: IMMUTABLE, interval: INTERVAL, + language, name: title, + query, + risk_score: RISK_SCORE, + rule_id: uuid.v4(), severity: SEVERITY, - type: TYPE, - from: FROM, to: TO, - query, - language, - filters: filterWithoutMeta, - enabled: ENABLED, + type: TYPE, version: 1, // comment these in if you want to use these for input output, otherwise // with these two commented out, we will use the default saved objects from spaces. @@ -182,16 +168,8 @@ async function main() { `${outputDir}/${fileToWrite}.json`, `${JSON.stringify(outputMessage, null, 2)}\n` ); - allRules += `import rule${index + 1} from './${fileToWrite}.json';\n`; } ); - allRules += '\n'; - allRules += 'export const rawRules = [\n'; - savedSearchesParsed.forEach((_, index) => { - allRules += ` rule${index + 1},\n`; - }); - allRules += '];\n'; - fs.writeFileSync(`${outputDir}/${allRulesNdJson}`, allRules); } if (require.main === module) { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_prepackaged_rules.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_prepackaged_rules.test.ts index 24184b023bee3b..260147ed0506c8 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_prepackaged_rules.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_prepackaged_rules.test.ts @@ -5,15 +5,36 @@ */ import { getPrepackagedRules } from './get_prepackaged_rules'; +import { RuleAlertParamsRest } from '../types'; +import { isEmpty } from 'lodash/fp'; describe('get_existing_prepackaged_rules', () => { test('should not throw any errors with the existing checked in pre-packaged rules', () => { expect(() => getPrepackagedRules()).not.toThrow(); }); + test('no rule should have the same rule_id as another rule_id', () => { + const prePacakgedRules = getPrepackagedRules(); + let existingRuleIds: RuleAlertParamsRest[] = []; + prePacakgedRules.forEach(rule => { + const foundDuplicate = existingRuleIds.reduce((accum, existingRule) => { + if (existingRule.rule_id === rule.rule_id) { + return `Found duplicate rule_id of ${rule.rule_id} between these two rule names of "${rule.name}" and "${existingRule.name}"`; + } else { + return accum; + } + }, ''); + if (!isEmpty(foundDuplicate)) { + expect(foundDuplicate).toEqual(''); + } else { + existingRuleIds = [...existingRuleIds, rule]; + } + }); + }); + test('should throw an exception if a pre-packaged rule is not valid', () => { expect(() => getPrepackagedRules([{ not_valid_made_up_key: true }])).toThrow( - 'name: "(rule_name unknown)", rule_id: "(rule_id unknown)" within the folder rules/prepackaged_rules is not a valid detection engine rule. Expect the system to not work with pre-packaged rules until this rule is fixed or the file is removed. Error is: child "description" fails because ["description" is required]' + 'name: "(rule name unknown)", rule_id: "(rule rule_id unknown)" within the folder rules/prepackaged_rules is not a valid detection engine rule. Expect the system to not work with pre-packaged rules until this rule is fixed or the file is removed. Error is: child "description" fails because ["description" is required], Full rule contents are:\n{\n "not_valid_made_up_key": true\n}' ); }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_prepackaged_rules.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_prepackaged_rules.ts index 376ad4eb287d5b..855d0d73f6796a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_prepackaged_rules.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_prepackaged_rules.ts @@ -19,13 +19,15 @@ export const validateAllPrepackagedRules = ( return rules.map(rule => { const validatedRule = addPrepackagedRulesSchema.validate(rule); if (validatedRule.error != null) { - const ruleName = rule.name ? rule.name : '(rule_name unknown)'; - const ruleId = rule.rule_id ? rule.rule_id : '(rule_id unknown)'; + const ruleName = rule.name ? rule.name : '(rule name unknown)'; + const ruleId = rule.rule_id ? rule.rule_id : '(rule rule_id unknown)'; throw new TypeError( `name: "${ruleName}", rule_id: "${ruleId}" within the folder rules/prepackaged_rules ` + `is not a valid detection engine rule. Expect the system ` + `to not work with pre-packaged rules until this rule is fixed ` + - `or the file is removed. Error is: ${validatedRule.error.message}` + `or the file is removed. Error is: ${ + validatedRule.error.message + }, Full rule contents are:\n${JSON.stringify(rule, null, 2)}` ); } else { return validatedRule.value; diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json new file mode 100644 index 00000000000000..932f1986045574 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json @@ -0,0 +1,17 @@ +{ + "description": "403 Response to a POST", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "403 Response to a POST", + "query": "http.response.status_code:403 and http.request.method:post", + "risk_score": 50, + "rule_id": "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json new file mode 100644 index 00000000000000..d4c9a40ddb45f1 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json @@ -0,0 +1,17 @@ +{ + "description": "405 Response (Method Not Allowed)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "405 Response (Method Not Allowed)", + "query": "http.response.status_code:405", + "risk_score": 50, + "rule_id": "75ee75d8-c180-481c-ba88-ee50129a6aef", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/500_response_on_admin_page.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/500_response_on_admin_page.json new file mode 100644 index 00000000000000..62312003797326 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/500_response_on_admin_page.json @@ -0,0 +1,17 @@ +{ + "description": "500 Response on Admin page", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "500 Response on Admin page", + "query": "url.path:\"/admin/\" and http.response.status_code:500", + "risk_score": 50, + "rule_id": "054f669c-b065-492e-acd9-15e44fc42380", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_internet_explorer.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_internet_explorer.json index 1fd9fc0bb0d32c..bb9d8c60040f6e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_internet_explorer.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_internet_explorer.json @@ -1,29 +1,22 @@ { - "rule_id": "a0b554d2-85ed-4998-ada3-4ca58b508b35", - "risk_score": 50, "description": "Command shell started by Internet Explorer", - "immutable": true, - "interval": "5m", - "name": "Command shell started by Internet Explorer", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", - "query": "process.parent.name:iexplore.exe", - "language": "kuery", + "enabled": false, "filters": [ { + "$state": { + "store": "appState" + }, "meta": { - "negate": false, - "type": "phrase", + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "key": "process.name", - "value": "cmd.exe", + "negate": false, "params": { "query": "cmd.exe" }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" + "type": "phrase", + "value": "cmd.exe" }, "query": { "match": { @@ -32,23 +25,23 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } }, { + "$state": { + "store": "appState" + }, "meta": { - "negate": false, - "type": "phrase", + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "key": "event.action", - "value": "Process Create (rule: ProcessCreate)", + "negate": false, "params": { "query": "Process Create (rule: ProcessCreate)" }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index" + "type": "phrase", + "value": "Process Create (rule: ProcessCreate)" }, "query": { "match": { @@ -57,12 +50,19 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } } ], - "enabled": false, + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Command shell started by Internet Explorer", + "query": "process.parent.name:iexplore.exe", + "risk_score": 50, + "rule_id": "a0b554d2-85ed-4998-ada3-4ca58b508b35", + "severity": "low", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_powershell.json index 594e3d5f650f9d..d9820f90c55ee4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_powershell.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_powershell.json @@ -1,29 +1,22 @@ { - "rule_id": "ab4bbfa5-4127-40bf-852f-bdc6afdb2a06", - "risk_score": 50, "description": "Command shell started by Powershell", - "immutable": true, - "interval": "5m", - "name": "Command shell started by Powershell", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", - "query": "process.parent.name:powershell.exe", - "language": "kuery", + "enabled": false, "filters": [ { + "$state": { + "store": "appState" + }, "meta": { - "negate": false, - "type": "phrase", + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "key": "process.name", - "value": "cmd.exe", + "negate": false, "params": { "query": "cmd.exe" }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" + "type": "phrase", + "value": "cmd.exe" }, "query": { "match": { @@ -32,23 +25,23 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } }, { + "$state": { + "store": "appState" + }, "meta": { - "negate": false, - "type": "phrase", + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "key": "event.action", - "value": "Process Create (rule: ProcessCreate)", + "negate": false, "params": { "query": "Process Create (rule: ProcessCreate)" }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index" + "type": "phrase", + "value": "Process Create (rule: ProcessCreate)" }, "query": { "match": { @@ -57,12 +50,19 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } } ], - "enabled": false, + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Command shell started by Powershell", + "query": "process.parent.name:powershell.exe", + "risk_score": 50, + "rule_id": "ab4bbfa5-4127-40bf-852f-bdc6afdb2a06", + "severity": "low", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_svchost.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_svchost.json index 02f7516d5cd794..a11f69fc3048f7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_svchost.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_svchost.json @@ -1,29 +1,22 @@ { - "rule_id": "2e4f8a5e-ce68-44e0-9243-1f57d44c4f30", - "risk_score": 50, "description": "Command shell started by Svchost", - "immutable": true, - "interval": "5m", - "name": "Command shell started by Svchost", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", - "query": "process.parent.name:svchost.exe", - "language": "kuery", + "enabled": false, "filters": [ { + "$state": { + "store": "appState" + }, "meta": { - "negate": false, - "type": "phrase", + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "key": "process.name", - "value": "cmd.exe", + "negate": false, "params": { "query": "cmd.exe" }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" + "type": "phrase", + "value": "cmd.exe" }, "query": { "match": { @@ -32,23 +25,23 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } }, { + "$state": { + "store": "appState" + }, "meta": { - "negate": false, - "type": "phrase", + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "key": "event.action", - "value": "Process Create (rule: ProcessCreate)", + "negate": false, "params": { "query": "Process Create (rule: ProcessCreate)" }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index" + "type": "phrase", + "value": "Process Create (rule: ProcessCreate)" }, "query": { "match": { @@ -57,12 +50,19 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } } ], - "enabled": false, + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Command shell started by Svchost", + "query": "process.parent.name:svchost.exe", + "risk_score": 50, + "rule_id": "2e4f8a5e-ce68-44e0-9243-1f57d44c4f30", + "severity": "low", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_detect_large_outbound_icmp_packets.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_detect_large_outbound_icmp_packets.json new file mode 100644 index 00000000000000..faa1c97e4badaa --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_detect_large_outbound_icmp_packets.json @@ -0,0 +1,17 @@ +{ + "description": "Network - Detect Large Outbound ICMP Packets", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Network - Detect Large Outbound ICMP Packets", + "query": "network.transport:icmp and network.bytes>1000 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "4fce2a7e-0e11-4f17-bae3-8873c5ae62be", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_detect_long_dns_txt_record_response.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_detect_long_dns_txt_record_response.json new file mode 100644 index 00000000000000..f034e4999107f3 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_detect_long_dns_txt_record_response.json @@ -0,0 +1,17 @@ +{ + "description": "Network - Detect Long DNS TXT Record Response", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Network - Detect Long DNS TXT Record Response", + "query": "network.protocol:dns and server.bytes>100 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16 and not destination.ip:169.254.169.254 and not destination.ip:127.0.0.53", + "risk_score": 50, + "rule_id": "cc28f445-318e-4850-8b0d-5ad53eaded74", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_protocols_passing_authentication_in_cleartext.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_protocols_passing_authentication_in_cleartext.json new file mode 100644 index 00000000000000..d1b5f6be750401 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_protocols_passing_authentication_in_cleartext.json @@ -0,0 +1,17 @@ +{ + "description": "Network - Protocols passing authentication in cleartext", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Network - Protocols passing authentication in cleartext", + "query": "destination.port:(21 or 23 or 110 or 143) and network.transport:tcp", + "risk_score": 50, + "rule_id": "31f32b3c-415a-4a18-b60f-5748a337246b", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_child_processes_of_spoolsvexe.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_child_processes_of_spoolsvexe.json new file mode 100644 index 00000000000000..60d5ffe918585f --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_child_processes_of_spoolsvexe.json @@ -0,0 +1,17 @@ +{ + "description": "Windows - Child Processes of Spoolsv.exe", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Windows - Child Processes of Spoolsv.exe", + "query": "process.parent.name:spoolsv.exe and not process.name:regsvr32.exe ", + "risk_score": 50, + "rule_id": "dcc45d35-f42e-4f97-81e8-90b0597ea0d1", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_new_local_admin_account.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_new_local_admin_account.json new file mode 100644 index 00000000000000..ca27234b0d8ae0 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_new_local_admin_account.json @@ -0,0 +1,17 @@ +{ + "description": "Windows - Detect New Local Admin account", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Windows - Detect New Local Admin account", + "query": "event.code:(4720 or 4732) and winlog.event_data.TargetUserName:Administrators", + "risk_score": 50, + "rule_id": "461db51b-b1a1-49de-ac63-e1bcbd445602", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_psexec_with_accepteula_flag.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_psexec_with_accepteula_flag.json new file mode 100644 index 00000000000000..25dcd8234e092f --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_psexec_with_accepteula_flag.json @@ -0,0 +1,17 @@ +{ + "description": "Windows - Detect PsExec With accepteula Flag", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Windows - Detect PsExec With accepteula Flag", + "query": "process.name:PsExec.exe and process.args:\"-accepteula\"", + "risk_score": 50, + "rule_id": "304b0e0c-bd06-46f8-aeda-2e719ae434d1", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_use_of_cmdexe_to_launch_script_interpreters.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_use_of_cmdexe_to_launch_script_interpreters.json new file mode 100644 index 00000000000000..70d06ca9a4777d --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_use_of_cmdexe_to_launch_script_interpreters.json @@ -0,0 +1,17 @@ +{ + "description": "Windows - Detect Use of cmd.exe to Launch Script Interpreters", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Windows - Detect Use of cmd.exe to Launch Script Interpreters", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"wscript.exe\" or \"cscript.exe\") and process.parent.name:\"cmd.exe\"", + "risk_score": 50, + "rule_id": "b17c215e-8fa5-4087-b8d1-87761a90d710", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_new_external_device.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_new_external_device.json new file mode 100644 index 00000000000000..9dbc8d7cbb7ede --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_new_external_device.json @@ -0,0 +1,17 @@ +{ + "description": "Windows - New External Device Attached", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Windows - New External Device Attached", + "query": "event.code:6416", + "risk_score": 50, + "rule_id": "c0747553-5763-5d85-cd97-898f2daa2bde", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_processes_created_by_netsh.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_processes_created_by_netsh.json new file mode 100644 index 00000000000000..3f4e1a6243a969 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_processes_created_by_netsh.json @@ -0,0 +1,17 @@ +{ + "description": "Windows - Processes created by netsh", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Windows - Processes created by netsh", + "query": "process.parent.name:netsh.exe", + "risk_score": 50, + "rule_id": "e312dd9e-4760-4a71-a241-9b9a835a51c4", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_processes_launching_netsh.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_processes_launching_netsh.json new file mode 100644 index 00000000000000..34d08d7596e118 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_processes_launching_netsh.json @@ -0,0 +1,17 @@ +{ + "description": "Windows - Processes launching netsh", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Windows - Processes launching netsh", + "query": "process.name:netsh.exe and event.action:\"Process Create (rule: ProcessCreate)\" ", + "risk_score": 50, + "rule_id": "3b8db8aa-5734-405e-8dda-703129078a35", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_windows_event_log_cleared.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_windows_event_log_cleared.json new file mode 100644 index 00000000000000..bd82247203f005 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_windows_event_log_cleared.json @@ -0,0 +1,17 @@ +{ + "description": "Windows - Windows Event Log Cleared", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Windows - Windows Event Log Cleared", + "query": "event.code:(1102 or 1100)", + "risk_score": 50, + "rule_id": "b94b5177-ca7f-468a-9a1d-aef39c30a3ae", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json index 7bddffb4734ef0..a65a386cb827e7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json @@ -1,17 +1,17 @@ { - "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db", - "risk_score": 50, "description": "EQL - Adding the Hidden File Attribute with via attrib.exe", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Adding the Hidden File Attribute with via attrib.exe", + "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"attrib.exe\" and process.args:\"+h\"", + "risk_score": 50, + "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"attrib.exe\" and process.args:\"+h\"", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json index d57e5c7709b246..e5d797f3fc1319 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json @@ -1,17 +1,17 @@ { - "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", - "risk_score": 50, "description": "EQL - Adobe Hijack Persistence", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Adobe Hijack Persistence", + "query": "file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and event.action:\"File created (rule: FileCreate)\" and not process.name:msiexeec.exe", + "risk_score": 50, + "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and event.action:\"File created (rule: FileCreate)\" and not process.name:msiexeec.exe", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json index da3cf0fb460259..ef65bd3ecef35d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json @@ -1,17 +1,17 @@ { - "rule_id": "b27b9f47-0a20-4807-8377-7f899b4fbada", - "risk_score": 50, "description": "EQL - Audio Capture via PowerShell", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Audio Capture via PowerShell", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"powershell.exe\" and process.args:\"WindowsAudioDevice-Powershell-Cmdlet\"", + "risk_score": 50, + "rule_id": "b27b9f47-0a20-4807-8377-7f899b4fbada", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"SoundRecorder.exe\" and process.args:\"/FILE\"", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json index cc0091feb290d8..89eec55d827d6d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json @@ -1,17 +1,17 @@ { - "rule_id": "f8e06892-ed10-4452-892e-2c5a38d552f1", - "risk_score": 50, "description": "EQL - Audio Capture via SoundRecorder", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Audio Capture via SoundRecorder", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"SoundRecorder.exe\" and process.args:\"/FILE\"", + "risk_score": 50, + "rule_id": "f8e06892-ed10-4452-892e-2c5a38d552f1", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"SoundRecorder.exe\" and process.args:\"/FILE\"", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json index bdc85045009cb6..80f83991516a67 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json @@ -1,17 +1,17 @@ { - "rule_id": "59547add-a400-4baa-aa0c-66c72efdb77f", - "risk_score": 50, "description": "EQL -Bypass UAC Event Viewer", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL -Bypass UAC Event Viewer", + "query": "process.parent.name:eventvwr.exe and event.action:\"Process Create (rule: ProcessCreate)\" and not process.executable:(\"C:\\Windows\\System32\\mmc.exe\" or \"C:\\Windows\\SysWOW64\\mmc.exe\")", + "risk_score": 50, + "rule_id": "59547add-a400-4baa-aa0c-66c72efdb77f", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.parent.name:eventvwr.exe and event.action:\"Process Create (rule: ProcessCreate)\" and not process.executable:(\"C:\\Windows\\System32\\mmc.exe\" or \"C:\\Windows\\SysWOW64\\mmc.exe\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json index c3b28e6dce849e..0850632c95899d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json @@ -1,17 +1,17 @@ { - "rule_id": "2f7403da-1a4c-46bb-8ecc-c1a596e10cd0", - "risk_score": 50, "description": "EQL - Bypass UAC via CMSTP", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Bypass UAC via CMSTP", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"cmstp.exe\" and process.parent.args:(\"/s\" and \"/au\")", + "risk_score": 50, + "rule_id": "2f7403da-1a4c-46bb-8ecc-c1a596e10cd0", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"cmstp.exe\" and process.parent.args:(\"/s\" and \"/au\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json index d79c551ffb9cba..85ba24fd572c37 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json @@ -1,17 +1,17 @@ { - "rule_id": "f68d83a1-24cb-4b8d-825b-e8af400b9670", - "risk_score": 50, "description": "EQL -Bypass UAC Via sdclt", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL -Bypass UAC Via sdclt", + "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"sdclt.exe\" and process.args:\"/kickoffelev\" and not process.executable:(\"C:\\Windows\\System32\\sdclt.exe\" or \"C:\\Windows\\System32\\control.exe\" or \"C:\\Windows\\SysWOW64\\sdclt.exe\" or \"C:\\Windows\\SysWOW64\\control.exe\")", + "risk_score": 50, + "rule_id": "f68d83a1-24cb-4b8d-825b-e8af400b9670", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"sdclt.exe\" and process.args:\"/kickoffelev\" and not process.executable:(\"C:\\Windows\\System32\\sdclt.exe\" or \"C:\\Windows\\System32\\control.exe\" or \"C:\\Windows\\SysWOW64\\sdclt.exe\" or \"C:\\Windows\\SysWOW64\\control.exe\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json index d7eb663297a637..28f45b94049e78 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json @@ -1,17 +1,17 @@ { - "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", - "risk_score": 50, "description": "EQL - Clearing Windows Event Logs", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Clearing Windows Event Logs", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and (process.name:\"wevtutil.exe\" and process.args:\"cl\") or (process.name:\"powershell.exe\" and process.args:\"Clear-EventLog\")", + "risk_score": 50, + "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and (process.name:\"wevtutil.exe\" and process.args:\"cl\") or (process.name:\"powershell.exe\" and process.args:\"Clear-EventLog\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json index 2155c2fa12913a..6f00427656af6f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json @@ -1,17 +1,17 @@ { - "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92", - "risk_score": 50, "description": "EQL - Delete Volume USN Journal with fsutil", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Delete Volume USN Journal with fsutil", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"fsutil.exe\" and process.args:(\"usn\" and \"deletejournal\")", + "risk_score": 50, + "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"fsutil.exe\" and process.args:(\"usn\" and \"deletejournal\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json index 4bf7ae5ee1a5a2..8f5b21b74ee6a3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json @@ -1,17 +1,17 @@ { - "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", - "risk_score": 50, "description": "EQL - Deleting Backup Catalogs with wbadmin", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Deleting Backup Catalogs with wbadmin", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wbadmin.exe\" and process.args:(\"delete\" and \"catalog\")", + "risk_score": 50, + "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wbadmin.exe\" and process.args:(\"delete\" and \"catalog\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json index 8a7733d069154f..56f0b2efec620c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json @@ -1,17 +1,17 @@ { - "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1", - "risk_score": 50, "description": "EQL - Direct Outbound SMB Connection", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Direct Outbound SMB Connection", + "query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and destination.port:445 and not process.pid:4 and not destination.ip:(\"127.0.0.1\" or \"::1\")", + "risk_score": 50, + "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and destination.port:445 and not process.pid:4 and not destination.ip:(\"127.0.0.1\" or \"::1\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json index 2ed22ed4e59a05..4d1e32eb298978 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json @@ -1,17 +1,17 @@ { - "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9", - "risk_score": 50, "description": "EQL - Disable Windows Firewall Rules with Netsh", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Disable Windows Firewall Rules with Netsh", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"netsh.exe\" and process.args:(\"firewall\" and \"set\" and \"disable\") or process.args:(\"advfirewall\" and \"state\" and \"off\")", + "risk_score": 50, + "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"netsh.exe\" and process.args:(\"firewall\" and \"set\" and \"disable\") or process.args:(\"advfirewall\" and \"state\" and \"off\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json index e59286339290af..b9bf463a8e5f22 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json @@ -1,17 +1,17 @@ { - "rule_id": "73fbc44c-c3cd-48a8-a473-f4eb2065c716", - "risk_score": 50, "description": "EQL - DLL Search Order Hijack", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - DLL Search Order Hijack", + "query": " event.action:\"File created (rule: FileCreate)\" and not winlog.user.identifier:(\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\") and file.path:(\"C\\Windows\\ehome\\cryptbase.dll\" or \"C\\Windows\\System32\\Sysprep\\cryptbase.dll\" or \"C\\Windows\\System32\\Sysprep\\cryptsp.dll\" or \"C\\Windows\\System32\\Sysprep\\rpcrtremote.dll\" or \"C\\Windows\\System32\\Sysprep\\uxtheme.dll\" or \"C\\Windows\\System32\\Sysprep\\dwmapi.dll\" or \"C\\Windows\\System32\\Sysprep\\shcore.dll\" or \"C\\Windows\\System32\\Sysprep\\oleacc.dll\" or \"C\\Windows\\System32\\ntwdblib.dll\") ", + "risk_score": 50, + "rule_id": "73fbc44c-c3cd-48a8-a473-f4eb2065c716", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " event.action:\"File created (rule: FileCreate)\" and not winlog.user.identifier:(\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\") and file.path:(\"C\\Windows\\ehome\\cryptbase.dll\" or \"C\\Windows\\System32\\Sysprep\\cryptbase.dll\" or \"C\\Windows\\System32\\Sysprep\\cryptsp.dll\" or \"C\\Windows\\System32\\Sysprep\\rpcrtremote.dll\" or \"C\\Windows\\System32\\Sysprep\\uxtheme.dll\" or \"C\\Windows\\System32\\Sysprep\\dwmapi.dll\" or \"C\\Windows\\System32\\Sysprep\\shcore.dll\" or \"C\\Windows\\System32\\Sysprep\\oleacc.dll\" or \"C\\Windows\\System32\\ntwdblib.dll\") ", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json index 2ad0a53b6c9b4d..6b4ffd9cb21e3b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json @@ -1,17 +1,17 @@ { - "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf", - "risk_score": 50, "description": "EQL - Encoding or Decoding Files via CertUtil", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Encoding or Decoding Files via CertUtil", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"certutil.exe\" and process.args:(\"-encode\" or \"/encode\" or \"-decode\" or \"/decode\")", + "risk_score": 50, + "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"certutil.exe\" and process.args:(\"-encode\" or \"/encode\" or \"-decode\" or \"/decode\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json index bb005643031bd1..f09983d26aff50 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json @@ -1,17 +1,17 @@ { - "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a", - "risk_score": 50, "description": "EQL - Local Scheduled Task Commands", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Local Scheduled Task Commands", + "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:schtasks.exe and process.args:(\"/create\" or \"-create\" or \"/S\" or \"-s\" or \"/run\" or \"-run\" or \"/change\" or \"-change\")", + "risk_score": 50, + "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:schtasks.exe and process.args:(\"/create\" or \"-create\" or \"/S\" or \"-s\" or \"/run\" or \"-run\" or \"/change\" or \"-change\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json index 1254d0971f1084..d33a3dbe6de814 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json @@ -1,17 +1,17 @@ { - "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95", - "risk_score": 50, "description": "EQL - Local Service Commands", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Local Service Commands", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:sc.exe and process.args:(\"create\" or \"config\" or \"failure\" or \"start\")", + "risk_score": 50, + "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:sc.exe and process.args:(\"create\" or \"config\" or \"failure\" or \"start\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json index 62b07f1f4ed378..39dc2547520737 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json @@ -1,17 +1,17 @@ { - "rule_id": "b9ab2f7f-f719-4417-9599-e0252fffe2d8", - "risk_score": 50, "description": "EQL - Modification of Boot Configuration", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Modification of Boot Configuration", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"bcdedit.exe\" and process.args:\"set\" and process.args:( (\"bootstatuspolicy\" and \"ignoreallfailures\") or (\"recoveryenabled\" and \"no\") ) ", + "risk_score": 50, + "rule_id": "b9ab2f7f-f719-4417-9599-e0252fffe2d8", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"bcdedit.exe\" and process.args:\"set\" and process.args:( (\"bootstatuspolicy\" and \"ignoreallfailures\") or (\"recoveryenabled\" and \"no\") ) ", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json index a3c0a8c0960efe..dd8fab2d8ad706 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json @@ -1,17 +1,17 @@ { - "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b", - "risk_score": 50, "description": "EQL - MsBuild Making Network Connections", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - MsBuild Making Network Connections", + "query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:msbuild.exe and not destination.ip:(\"127.0.0.1\" or \"::1\")", + "risk_score": 50, + "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:msbuild.exe and not destination.ip:(\"127.0.0.1\" or \"::1\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json index 2d5e73c50a73c7..8037cc9bcba7f0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json @@ -1,17 +1,17 @@ { - "rule_id": "a4ec1382-4557-452b-89ba-e413b22ed4b8", - "risk_score": 50, "description": "EQL - Mshta Making Network Connections", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Mshta Making Network Connections", + "query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:\"mshta.exe\" and not process.name:\"mshta.exe\"", + "risk_score": 50, + "rule_id": "a4ec1382-4557-452b-89ba-e413b22ed4b8", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:\"mshta.exe\" and not process.name:\"mshta.exe\" and not parent.process.name:\"Microsoft.ConfigurationManagement.exe\"", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json index 04c88def26d61d..5dd6d5d3042c6d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json @@ -1,17 +1,17 @@ { - "rule_id": "d7351b03-135d-43ba-8b36-cc9b07854525", - "risk_score": 50, "description": "EQL - MsXsl Making Network Connections", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - MsXsl Making Network Connections", + "query": "process.name:msxsl.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "d7351b03-135d-43ba-8b36-cc9b07854525", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:msxml.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json index fe87c83c0403c4..d83f7796cd4d1a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json @@ -1,17 +1,17 @@ { - "rule_id": "55d551c6-333b-4665-ab7e-5d14a59715ce", - "risk_score": 50, "description": "EQL - PsExec Lateral Movement Command", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - PsExec Lateral Movement Command", + "query": "process.name:psexec.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" ", + "risk_score": 50, + "rule_id": "55d551c6-333b-4665-ab7e-5d14a59715ce", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:psexec.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" ", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json index 41deb57145abcd..5746541dd879cf 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json @@ -1,17 +1,17 @@ { - "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f", - "risk_score": 50, "description": "EQL - Suspicious MS Office Child Process", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Suspicious MS Office Child Process", + "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"winword.exe\" or \"excel.exe\" or \"powerpnt.exe\" or \"eqnedt32.exe\" or \"fltldr.exe\" or \"mspub.exe\" or \"msaccess.exe\") and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ", + "risk_score": 50, + "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"winword.exe\" or \"excel.exe\" or \"powerpnt.exe\" or \"eqnedt32.exe\" or \"fltldr.exe\" or \"mspub.exe\" or \"msaccess.exe\") and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json index bbcc987c3b6aec..88ce75eeef34e8 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json @@ -1,17 +1,17 @@ { - "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", - "risk_score": 50, "description": "EQL - Suspicious MS Outlook Child Process", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Suspicious MS Outlook Child Process", + "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"outlook.exe\" and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ", + "risk_score": 50, + "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"outlook.exe\" and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json index 488dc04a3b02e5..2e3a654127b53e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json @@ -1,17 +1,17 @@ { - "rule_id": "afcac7b1-d092-43ff-a136-aa7accbda38f", - "risk_score": 50, "description": "EQL - Suspicious PDF Reader Child Process", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Suspicious PDF Reader Child Process", + "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"acrord32.exe\" or \"rdrcef.exe\" or \"foxitphantomPDF.exe\" or \"foxitreader.exe\") and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ", + "risk_score": 50, + "rule_id": "afcac7b1-d092-43ff-a136-aa7accbda38f", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"acrord32.exe\" or \"rdrcef.exe\" or \"foxitphantomPDF.exe\" or \"foxitreader.exe\") and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json index 810aa79ce25af1..20080719f3ed3b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json @@ -1,17 +1,17 @@ { - "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", - "risk_score": 50, "description": "EQL - System Shells via Services", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - System Shells via Services", + "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"services.exe\" and process.name:(\"cmd.exe\" or \"powershell.exe\")", + "risk_score": 50, + "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"services.exe\" and process.name:(\"cmd.exe\" or \"powershell.exe\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json index 6918d996256c03..79f8f8e1f606c8 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json @@ -1,17 +1,17 @@ { - "rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886", - "risk_score": 50, "description": "EQL - Unusual Network Connection via RunDLL32", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Unusual Network Connection via RunDLL32", + "query": "process.name:rundll32.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:rundll32.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json index 007487ec91eed1..28cce6ed89f8b0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json @@ -1,17 +1,17 @@ { - "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", - "risk_score": 50, "description": "EQL - Unusual Parent-Child Relationship ", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Unusual Parent-Child Relationship ", + "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.executable:* and ( (process.name:\"smss.exe\" and not process.parent.name:(\"System\" or \"smss.exe\")) or (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\" or \"svchost.exe\")) or (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or (process.name:\"lsass.exe\" and not process.parent.name:\"wininit.exe\") or (process.name:\"LogonUI.exe\" and not process.parent.name:(\"winlogon.exe\" or \"wininit.exe\")) or (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or (process.name:\"svchost.exe\" and not process.parent.name:(\"services.exe\" or \"MsMpEng.exe\")) or (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\" or \"svchost.exe\")) or (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\" or \"svchost.exe\")) or (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\" or \"winlogon.exe\")) )", + "risk_score": 50, + "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.executable:* and ( (process.name:\"smss.exe\" and not process.parent.name:(\"System\" or \"smss.exe\")) or (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\" or \"svchost.exe\")) or (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or (process.name:\"lsass.exe\" and not process.parent.name:\"wininit.exe\") or (process.name:\"LogonUI.exe\" and not process.parent.name:(\"winlogon.exe\" or \"wininit.exe\")) or (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or (process.name:\"svchost.exe\" and not process.parent.name:(\"services.exe\" or \"MsMpEng.exe\")) or (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\" or \"svchost.exe\")) or (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\" or \"svchost.exe\")) or (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\" or \"winlogon.exe\")) )", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json index 7aabc9ed604161..8b84ec4ff34f48 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json @@ -1,17 +1,17 @@ { - "rule_id": "610949a1-312f-4e04-bb55-3a79b8c95267", - "risk_score": 50, "description": "EQL - Unusual Process Network Connection", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Unusual Process Network Connection", + "query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:(bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or Microsoft.Workflow.Compiler.exe or odbcconf.exe or rcsi.exe or xwizard.exe)", + "risk_score": 50, + "rule_id": "610949a1-312f-4e04-bb55-3a79b8c95267", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:(bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or Microsoft.Workflow.Compiler.exe or odbcconf.exe or rcsi.exe or xwizard.exe)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json index cbe1b7fb7af4f9..3af9d9c4277511 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json @@ -1,17 +1,17 @@ { - "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", - "risk_score": 50, "description": "EQL - User Account Creation", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - User Account Creation", + "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"net.exe\" or \"net1.exe\") and not process.parent.name:\"net.exe\" and process.args:(\"user\" and (\"/add\" or \"/ad\")) ", + "risk_score": 50, + "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"net.exe\" or \"net1.exe\") and not process.parent.name:\"net.exe\" and process.args:(\"user\" and (\"/add\" or \"/ad\")) ", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json index ed8fa5276ef343..226f2dd1e39342 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json @@ -1,17 +1,17 @@ { - "rule_id": "4426de6f-6103-44aa-a77e-49d672836c27", - "risk_score": 50, "description": "EQL - User Added to Administrator Group", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - User Added to Administrator Group", + "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"net.exe\" or \"net1.exe\") and not process.parent.name:\"net.exe\" and process.args:(\"group\" and \"admin\" and \"/add\") ", + "risk_score": 50, + "rule_id": "4426de6f-6103-44aa-a77e-49d672836c27", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"net.exe\" or \"net1.exe\") and not process.parent.name:\"net.exe\" and process.args:(\"group\" and \"admin\" and \"/add\") ", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json index 186c688d21d8fc..2b27bce457aff8 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json @@ -1,17 +1,17 @@ { - "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", - "risk_score": 50, "description": "EQL - Volume Shadow Copy Deletion via VssAdmin", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Volume Shadow Copy Deletion via VssAdmin", + "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"vssadmin.exe\" and process.args:(\"delete\" and \"shadows\") ", + "risk_score": 50, + "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"vssadmin.exe\" and process.args:(\"delete\" and \"shadows\") ", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json index 9f75cb3ab26a86..4ec4530cc967f7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json @@ -1,17 +1,17 @@ { - "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", - "risk_score": 50, "description": "EQL - Volume Shadow Copy Deletion via WMIC", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Volume Shadow Copy Deletion via WMIC", + "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wmic.exe\" and process.args:(\"shadowcopy\" and \"delete\")", + "risk_score": 50, + "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wmic.exe\" and process.args:(\"shadowcopy\" and \"delete\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json index 034651d94d0ea8..da96eb39e4d96a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json @@ -1,17 +1,17 @@ { - "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", - "risk_score": 50, "description": "EQL - Windows Script Executing PowerShell", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Windows Script Executing PowerShell", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"wscript.exe\" or \"cscript.exe\") and process.name:\"powershell.exe\"", + "risk_score": 50, + "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"wscript.exe\" or \"cscript.exe\") and process.name:\"powershell.exe\"", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json index eb1f3f4dca08e5..3f1c22e2a55d99 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json @@ -1,17 +1,17 @@ { - "rule_id": "9616587f-6396-42d0-bd31-ef8dbd806210", - "risk_score": 50, "description": "EQL - WMIC Command Lateral Movement", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - WMIC Command Lateral Movement", + "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wmic.exe\" and process.args:(\"/node\" or \"-node\") and process.args:(\"call\" or \"set\")", + "risk_score": 50, + "rule_id": "9616587f-6396-42d0-bd31-ef8dbd806210", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wmic.exe\" and process.args:(\"/node\" or \"-node\") and process.args:(\"call\" or \"set\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts index 49b3c5d6802b48..8a353e4b2b3016 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts @@ -4,287 +4,348 @@ * you may not use this file except in compliance with the Elastic License. */ -// Auto generated file from scripts/convert_saved_search_rules.js -// Do not hand edit. Run the script against a set of saved searches instead +// Auto generated file from scripts/regen_prepackage_rules_index.sh +// Do not hand edit. Run that script to regenerate package information instead -import rule1 from './eql_bypass_uac_via_sdclt.json'; -import rule2 from './eql_clearing_windows_event_logs.json'; -import rule3 from './eql_suspicious_ms_office_child_process.json'; -import rule4 from './eql_bypass_uac_event_viewer.json'; -import rule5 from './eql_volume_shadow_copy_deletion_via_wmic.json'; -import rule6 from './eql_adobe_hijack_persistence.json'; -import rule7 from './eql_unusual_network_connection_via_rundll32.json'; -import rule8 from './eql_delete_volume_usn_journal_with_fsutil.json'; -import rule9 from './eql_mshta_making_network_connections.json'; -import rule10 from './eql_unusual_process_network_connection.json'; -import rule11 from './eql_suspicious_ms_outlook_child_process.json'; -import rule12 from './eql_audio_capture_via_soundrecorder.json'; -import rule13 from './eql_direct_outbound_smb_connection.json'; -import rule14 from './eql_windows_script_executing_powershell.json'; -import rule15 from './eql_deleting_backup_catalogs_with_wbadmin.json'; -import rule16 from './eql_suspicious_pdf_reader_child_process.json'; -import rule17 from './eql_local_service_commands.json'; -import rule18 from './eql_dll_search_order_hijack.json'; -import rule19 from './eql_bypass_uac_via_cmstp.json'; -import rule20 from './eql_user_account_creation.json'; -import rule21 from './eql_wmic_command_lateral_movement.json'; -import rule22 from './eql_system_shells_via_services.json'; -import rule23 from './eql_msxsl_making_network_connections.json'; -import rule24 from './eql_local_scheduled_task_commands.json'; -import rule25 from './eql_msbuild_making_network_connections.json'; -import rule26 from './eql_encoding_or_decoding_files_via_certutil.json'; -import rule27 from './eql_disable_windows_firewall_rules_with_netsh.json'; -import rule28 from './eql_adding_the_hidden_file_attribute_with_via_attribexe.json'; -import rule29 from './eql_psexec_lateral_movement_command.json'; -import rule30 from './eql_user_added_to_administrator_group.json'; -import rule31 from './eql_audio_capture_via_powershell.json'; -import rule32 from './eql_unusual_parentchild_relationship.json'; -import rule33 from './eql_modification_of_boot_configuration.json'; -import rule34 from './eql_volume_shadow_copy_deletion_via_vssadmin.json'; -import rule35 from './zeek_notice_signaturesmultiple_sig_responders.json'; -import rule36 from './zeek_notice_packetfiltercompile_failure.json'; -import rule37 from './zeek_notice_signaturescount_signature.json'; -import rule38 from './zeek_notice_signaturesmultiple_signatures.json'; -import rule39 from './zeek_notice_signaturessignature_summary.json'; -import rule40 from './zeek_notice_signaturessensitive_signature.json'; -import rule41 from './zeek_notice_packetfilterinstall_failure.json'; -import rule42 from './zeek_notice_weirdactivity.json'; -import rule43 from './zeek_notice_noticetally.json'; -import rule44 from './zeek_notice_packetfilterno_more_conn_shunts_available.json'; -import rule45 from './zeek_notice_packetfiltercannot_bpf_shunt_conn.json'; -import rule46 from './zeek_notice_teamcymrumalwarehashregistrymatch.json'; -import rule47 from './zeek_notice_softwaresoftware_version_change.json'; -import rule48 from './zeek_notice_protocoldetectorserver_found.json'; -import rule49 from './zeek_notice_packetfiltertoo_long_to_compile_filter.json'; -import rule50 from './zeek_notice_protocoldetectorprotocol_found.json'; -import rule51 from './zeek_notice_intelnotice.json'; -import rule52 from './zeek_notice_packetfilterdropped_packets.json'; -import rule53 from './zeek_notice_scanaddress_scan.json'; -import rule54 from './zeek_notice_ftpbruteforcing.json'; -import rule55 from './zeek_notice_scanport_scan.json'; -import rule56 from './zeek_notice_dnsexternal_name.json'; -import rule57 from './zeek_notice_capturelosstoo_much_loss.json'; -import rule58 from './zeek_notice_softwarevulnerable_version.json'; -import rule59 from './zeek_notice_connretransmission_inconsistency.json'; -import rule60 from './zeek_notice_traceroutedetected.json'; -import rule61 from './zeek_notice_conncontent_gap.json'; -import rule62 from './zeek_notice_smtpblocklist_blocked_host.json'; -import rule63 from './zeek_notice_httpsql_injection_victim.json'; -import rule64 from './zeek_notice_sshlogin_by_password_guesser.json'; -import rule65 from './zeek_notice_sshpassword_guessing.json'; -import rule66 from './zeek_notice_sshwatched_country_login.json'; -import rule67 from './zeek_notice_ftpsite_exec_success.json'; -import rule68 from './zeek_notice_smtpsuspicious_origination.json'; -import rule69 from './zeek_notice_httpsql_injection_attacker.json'; -import rule70 from './zeek_notice_smtpblocklist_error_message.json'; -import rule71 from './zeek_notice_sshinteresting_hostname_login.json'; -import rule72 from './zeek_notice_sslinvalid_server_cert.json'; -import rule73 from './zeek_notice_heartbleedssl_heartbeat_many_requests.json'; -import rule74 from './zeek_notice_heartbleedssl_heartbeat_odd_length.json'; -import rule75 from './zeek_notice_sslcertificate_expired.json'; -import rule76 from './zeek_notice_sslcertificate_expires_soon.json'; -import rule77 from './zeek_notice_heartbleedssl_heartbeat_attack_success.json'; -import rule78 from './zeek_notice_sslcertificate_not_valid_yet.json'; -import rule79 from './zeek_notice_heartbleedssl_heartbeat_attack.json'; -import rule80 from './zeek_notice_sslinvalid_ocsp_response.json'; -import rule81 from './zeek_notice_sslweak_key.json'; -import rule82 from './zeek_notice_sslold_version.json'; -import rule83 from './zeek_notice_sslweak_cipher.json'; -import rule84 from './suricata_category_large_scale_information_leak.json'; -import rule85 from './suricata_category_attempted_information_leak.json'; -import rule86 from './suricata_category_not_suspicious_traffic.json'; -import rule87 from './suricata_category_potentially_bad_traffic.json'; -import rule88 from './suricata_category_information_leak.json'; -import rule89 from './suricata_category_unknown_traffic.json'; -import rule90 from './suricata_category_successful_administrator_privilege_gain.json'; -import rule91 from './suricata_category_attempted_administrator_privilege_gain.json'; -import rule92 from './suricata_category_unsuccessful_user_privilege_gain.json'; -import rule93 from './suricata_category_successful_user_privilege_gain.json'; -import rule94 from './suricata_category_attempted_user_privilege_gain.json'; -import rule95 from './suricata_category_attempted_denial_of_service.json'; -import rule96 from './suricata_category_decode_of_an_rpc_query.json'; -import rule97 from './suricata_category_denial_of_service.json'; -import rule98 from './suricata_category_attempted_login_with_suspicious_username.json'; -import rule99 from './suricata_category_client_using_unusual_port.json'; -import rule100 from './suricata_category_suspicious_filename_detected.json'; -import rule101 from './suricata_category_a_suspicious_string_was_detected.json'; -import rule102 from './suricata_category_tcp_connection_detected.json'; -import rule103 from './suricata_category_executable_code_was_detected.json'; -import rule104 from './suricata_category_network_trojan_detected.json'; -import rule105 from './suricata_category_system_call_detected.json'; -import rule106 from './suricata_category_potentially_vulnerable_web_application_access.json'; -import rule107 from './suricata_category_nonstandard_protocol_or_event.json'; -import rule108 from './suricata_category_denial_of_service_attack.json'; -import rule109 from './suricata_category_generic_protocol_command_decode.json'; -import rule110 from './suricata_category_network_scan_detected.json'; -import rule111 from './suricata_category_web_application_attack.json'; -import rule112 from './suricata_category_generic_icmp_event.json'; -import rule113 from './suricata_category_misc_attack.json'; -import rule114 from './suricata_category_default_username_and_password_login_attempt.json'; -import rule115 from './suricata_category_external_ip_address_retrieval.json'; -import rule116 from './suricata_category_potential_corporate_privacy_violation.json'; -import rule117 from './suricata_category_targeted_malicious_activity.json'; -import rule118 from './suricata_category_observed_c2_domain.json'; -import rule119 from './suricata_category_exploit_kit_activity.json'; -import rule120 from './suricata_category_possibly_unwanted_program.json'; -import rule121 from './suricata_category_successful_credential_theft.json'; -import rule122 from './suricata_category_possible_social_engineering_attempted.json'; -import rule123 from './suricata_category_crypto_currency_mining_activity.json'; -import rule124 from './suricata_category_malware_command_and_control_activity.json'; -import rule125 from './suricata_category_misc_activity.json'; -import rule126 from './windows_powershell_connecting_to_the_internet.json'; -import rule127 from './windows_net_user_command_activity.json'; -import rule128 from './windows_image_load_from_a_temp_directory.json'; -import rule129 from './network_ssh_secure_shell_to_the_internet.json'; -import rule130 from './suricata_nonhttp_traffic_on_tcp_port_80.json'; -import rule131 from './windows_misc_lolbin_connecting_to_the_internet.json'; -import rule132 from './linux_strace_activity.json'; -import rule133 from './suricata_directory_reversal_characters_in_an_http_request.json'; -import rule134 from './suricata_dns_traffic_on_unusual_udp_port.json'; -import rule135 from './network_telnet_port_activity.json'; -import rule136 from './suricata_directory_traversal_in_downloaded_zip_file.json'; -import rule137 from './windows_execution_via_microsoft_html_application_hta.json'; -import rule138 from './windows_credential_dumping_commands.json'; -import rule139 from './windows_net_command_activity_by_the_system_account.json'; -import rule140 from './windows_register_server_program_connecting_to_the_internet.json'; -import rule141 from './linux_java_process_connecting_to_the_internet.json'; -import rule142 from './suricata_imap_traffic_on_unusual_port_internet_destination.json'; -import rule143 from './suricata_double_encoded_characters_in_a_uri.json'; -import rule144 from './network_tor_activity_to_the_internet.json'; -import rule145 from './windows_registry_query_local.json'; -import rule146 from './linux_netcat_network_connection.json'; -import rule147 from './windows_defense_evasion_via_filter_manager.json'; -import rule148 from './suricata_nondns_traffic_on_udp_port_53.json'; -import rule149 from './suricata_double_encoded_characters_in_an_http_post.json'; -import rule150 from './command_shell_started_by_internet_explorer.json'; -import rule151 from './network_vnc_virtual_network_computing_from_the_internet.json'; -import rule152 from './windows_nmap_activity.json'; -import rule153 from './suspicious_process_started_by_a_script.json'; -import rule154 from './windows_network_anomalous_windows_process_using_https_ports.json'; -import rule155 from './powershell_network_connection.json'; -import rule156 from './windows_signed_binary_proxy_execution.json'; -import rule157 from './linux_kernel_module_activity.json'; -import rule158 from './network_vnc_virtual_network_computing_to_the_internet.json'; -import rule159 from './suricata_mimikatz_string_detected_in_http_response.json'; -import rule160 from './command_shell_started_by_svchost.json'; -import rule161 from './linux_tcpdump_activity.json'; -import rule162 from './process_started_by_ms_office_program_possible_payload.json'; -import rule163 from './windows_signed_binary_proxy_execution_download.json'; -import rule164 from './suricata_base64_encoded_startprocess_powershell_execution.json'; -import rule165 from './suricata_base64_encoded_invokecommand_powershell_execution.json'; -import rule166 from './suricata_directory_traversal_characters_in_http_response.json'; -import rule167 from './windows_microsoft_html_application_hta_connecting_to_the_internet.json'; -import rule168 from './suricata_tls_traffic_on_unusual_port_internet_destination.json'; -import rule169 from './process_started_by_acrobat_reader_possible_payload.json'; -import rule170 from './suricata_http_traffic_on_unusual_port_internet_destination.json'; -import rule171 from './windows_persistence_via_modification_of_existing_service.json'; -import rule172 from './windows_defense_evasion_or_persistence_via_hidden_files.json'; -import rule173 from './windows_execution_via_compiled_html_file.json'; -import rule174 from './linux_ptrace_activity.json'; -import rule175 from './suricata_nonimap_traffic_on_port_1443_imap.json'; -import rule176 from './windows_scheduled_task_activity.json'; -import rule177 from './suricata_ftp_traffic_on_unusual_port_internet_destination.json'; -import rule178 from './windows_wireshark_activity.json'; -import rule179 from './windows_execution_via_trusted_developer_utilities.json'; -import rule180 from './suricata_rpc_traffic_on_http_ports.json'; -import rule181 from './windows_process_discovery_via_tasklist_command.json'; -import rule182 from './suricata_cobaltstrike_artifact_in_an_dns_request.json'; -import rule183 from './suricata_serialized_php_detected.json'; -import rule184 from './windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json'; -import rule185 from './windows_registry_query_network.json'; -import rule186 from './windows_persistence_via_application_shimming.json'; -import rule187 from './network_proxy_port_activity_to_the_internet.json'; -import rule188 from './windows_whoami_command_activity.json'; -import rule189 from './suricata_shell_exec_php_function_in_an_http_post.json'; -import rule190 from './windump_activity.json'; -import rule191 from './windows_management_instrumentation_wmi_execution.json'; -import rule192 from './network_rdp_remote_desktop_protocol_from_the_internet.json'; -import rule193 from './windows_priv_escalation_via_accessibility_features.json'; -import rule194 from './psexec_activity.json'; -import rule195 from './linux_rawshark_activity.json'; -import rule196 from './suricata_nonftp_traffic_on_port_21.json'; -import rule197 from './network_ftp_file_transfer_protocol_activity_to_the_internet.json'; -import rule198 from './windows_certutil_connecting_to_the_internet.json'; -import rule199 from './suricata_nonsmb_traffic_on_tcp_port_139_smb.json'; -import rule200 from './network_rdp_remote_desktop_protocol_to_the_internet.json'; -import rule201 from './linux_whoami_commmand.json'; -import rule202 from './windows_persistence_or_priv_escalation_via_hooking.json'; -import rule203 from './linux_lzop_activity_possible_julianrunnels.json'; -import rule204 from './suricata_nontls_on_tls_port.json'; -import rule205 from './network_irc_internet_relay_chat_protocol_activity_to_the_internet.json'; -import rule206 from './linux_network_anomalous_process_using_https_ports.json'; -import rule207 from './windows_credential_dumping_via_registry_save.json'; -import rule208 from './network_rpc_remote_procedure_call_from_the_internet.json'; -import rule209 from './windows_credential_dumping_via_imageload.json'; -import rule210 from './windows_burp_ce_activity.json'; -import rule211 from './linux_hping_activity.json'; -import rule212 from './windows_command_prompt_connecting_to_the_internet.json'; -import rule213 from './network_nat_traversal_port_activity.json'; -import rule214 from './network_rpc_remote_procedure_call_to_the_internet.json'; -import rule215 from './suricata_possible_cobalt_strike_malleable_c2_null_response.json'; -import rule216 from './windows_remote_management_execution.json'; -import rule217 from './suricata_lazagne_artifact_in_an_http_post.json'; -import rule218 from './windows_netcat_network_activity.json'; -import rule219 from './windows_iodine_activity.json'; -import rule220 from './network_port_26_activity.json'; -import rule221 from './windows_execution_via_connection_manager.json'; -import rule222 from './linux_process_started_in_temp_directory.json'; -import rule223 from './suricata_eval_php_function_in_an_http_request.json'; -import rule224 from './linux_web_download.json'; -import rule225 from './suricata_ssh_traffic_not_on_port_22_internet_destination.json'; -import rule226 from './network_port_8000_activity.json'; -import rule227 from './windows_process_started_by_the_java_runtime.json'; -import rule228 from './suricata_possible_sql_injection_sql_commands_in_http_transactions.json'; -import rule229 from './network_smb_windows_file_sharing_activity_to_the_internet.json'; -import rule230 from './network_port_8000_activity_to_the_internet.json'; -import rule231 from './command_shell_started_by_powershell.json'; -import rule232 from './linux_nmap_activity.json'; -import rule233 from './search_windows_10.json'; -import rule234 from './network_smtp_to_the_internet.json'; -import rule235 from './windows_payload_obfuscation_via_certutil.json'; -import rule236 from './network_pptp_point_to_point_tunneling_protocol_activity.json'; -import rule237 from './linux_unusual_shell_activity.json'; -import rule238 from './linux_mknod_activity.json'; -import rule239 from './network_sql_server_port_activity_to_the_internet.json'; -import rule240 from './suricata_commonly_abused_dns_domain_detected.json'; -import rule241 from './linux_iodine_activity.json'; -import rule242 from './suricata_mimikatz_artifacts_in_an_http_post.json'; -import rule243 from './windows_execution_via_net_com_assemblies.json'; -import rule244 from './suricata_dns_traffic_on_unusual_tcp_port.json'; -import rule245 from './suricata_base64_encoded_newobject_powershell_execution.json'; -import rule246 from './windows_netcat_activity.json'; -import rule247 from './windows_persistence_via_bits_jobs.json'; -import rule248 from './linux_nping_activity.json'; -import rule249 from './windows_execution_via_regsvr32.json'; -import rule250 from './process_started_by_windows_defender.json'; +import rule1 from './403_response_to_a_post.json'; +import rule2 from './405_response_method_not_allowed.json'; +import rule3 from './500_response_on_admin_page.json'; +import rule4 from './command_shell_started_by_internet_explorer.json'; +import rule5 from './command_shell_started_by_powershell.json'; +import rule6 from './command_shell_started_by_svchost.json'; +import rule7 from './ece_network_detect_large_outbound_icmp_packets.json'; +import rule8 from './ece_network_detect_long_dns_txt_record_response.json'; +import rule9 from './ece_network_protocols_passing_authentication_in_cleartext.json'; +import rule10 from './ece_windows_child_processes_of_spoolsvexe.json'; +import rule11 from './ece_windows_detect_new_local_admin_account.json'; +import rule12 from './ece_windows_detect_psexec_with_accepteula_flag.json'; +import rule13 from './ece_windows_detect_use_of_cmdexe_to_launch_script_interpreters.json'; +import rule14 from './ece_windows_new_external_device.json'; +import rule15 from './ece_windows_processes_created_by_netsh.json'; +import rule16 from './ece_windows_processes_launching_netsh.json'; +import rule17 from './ece_windows_windows_event_log_cleared.json'; +import rule18 from './eql_adding_the_hidden_file_attribute_with_via_attribexe.json'; +import rule19 from './eql_adobe_hijack_persistence.json'; +import rule20 from './eql_audio_capture_via_powershell.json'; +import rule21 from './eql_audio_capture_via_soundrecorder.json'; +import rule22 from './eql_bypass_uac_event_viewer.json'; +import rule23 from './eql_bypass_uac_via_cmstp.json'; +import rule24 from './eql_bypass_uac_via_sdclt.json'; +import rule25 from './eql_clearing_windows_event_logs.json'; +import rule26 from './eql_delete_volume_usn_journal_with_fsutil.json'; +import rule27 from './eql_deleting_backup_catalogs_with_wbadmin.json'; +import rule28 from './eql_direct_outbound_smb_connection.json'; +import rule29 from './eql_disable_windows_firewall_rules_with_netsh.json'; +import rule30 from './eql_dll_search_order_hijack.json'; +import rule31 from './eql_encoding_or_decoding_files_via_certutil.json'; +import rule32 from './eql_local_scheduled_task_commands.json'; +import rule33 from './eql_local_service_commands.json'; +import rule34 from './eql_modification_of_boot_configuration.json'; +import rule35 from './eql_msbuild_making_network_connections.json'; +import rule36 from './eql_mshta_making_network_connections.json'; +import rule37 from './eql_msxsl_making_network_connections.json'; +import rule38 from './eql_psexec_lateral_movement_command.json'; +import rule39 from './eql_suspicious_ms_office_child_process.json'; +import rule40 from './eql_suspicious_ms_outlook_child_process.json'; +import rule41 from './eql_suspicious_pdf_reader_child_process.json'; +import rule42 from './eql_system_shells_via_services.json'; +import rule43 from './eql_unusual_network_connection_via_rundll32.json'; +import rule44 from './eql_unusual_parentchild_relationship.json'; +import rule45 from './eql_unusual_process_network_connection.json'; +import rule46 from './eql_user_account_creation.json'; +import rule47 from './eql_user_added_to_administrator_group.json'; +import rule48 from './eql_volume_shadow_copy_deletion_via_vssadmin.json'; +import rule49 from './eql_volume_shadow_copy_deletion_via_wmic.json'; +import rule50 from './eql_windows_script_executing_powershell.json'; +import rule51 from './eql_wmic_command_lateral_movement.json'; +import rule52 from './linux_hping_activity.json'; +import rule53 from './linux_iodine_activity.json'; +import rule54 from './linux_java_process_connecting_to_the_internet.json'; +import rule55 from './linux_kernel_module_activity.json'; +import rule56 from './linux_ldso_process_activity.json'; +import rule57 from './linux_lzop_activity.json'; +import rule58 from './linux_lzop_activity_possible_julianrunnels.json'; +import rule59 from './linux_mknod_activity.json'; +import rule60 from './linux_netcat_network_connection.json'; +import rule61 from './linux_network_anomalous_process_using_https_ports.json'; +import rule62 from './linux_nmap_activity.json'; +import rule63 from './linux_nping_activity.json'; +import rule64 from './linux_process_started_in_temp_directory.json'; +import rule65 from './linux_ptrace_activity.json'; +import rule66 from './linux_rawshark_activity.json'; +import rule67 from './linux_shell_activity_by_web_server.json'; +import rule68 from './linux_socat_activity.json'; +import rule69 from './linux_ssh_forwarding.json'; +import rule70 from './linux_strace_activity.json'; +import rule71 from './linux_tcpdump_activity.json'; +import rule72 from './linux_unusual_shell_activity.json'; +import rule73 from './linux_web_download.json'; +import rule74 from './linux_whoami_commmand.json'; +import rule75 from './network_dns_directly_to_the_internet.json'; +import rule76 from './network_ftp_file_transfer_protocol_activity_to_the_internet.json'; +import rule77 from './network_irc_internet_relay_chat_protocol_activity_to_the_internet.json'; +import rule78 from './network_nat_traversal_port_activity.json'; +import rule79 from './network_port_26_activity.json'; +import rule80 from './network_port_8000_activity.json'; +import rule81 from './network_port_8000_activity_to_the_internet.json'; +import rule82 from './network_pptp_point_to_point_tunneling_protocol_activity.json'; +import rule83 from './network_proxy_port_activity_to_the_internet.json'; +import rule84 from './network_rdp_remote_desktop_protocol_from_the_internet.json'; +import rule85 from './network_rdp_remote_desktop_protocol_to_the_internet.json'; +import rule86 from './network_rpc_remote_procedure_call_from_the_internet.json'; +import rule87 from './network_rpc_remote_procedure_call_to_the_internet.json'; +import rule88 from './network_smb_windows_file_sharing_activity_to_the_internet.json'; +import rule89 from './network_smtp_to_the_internet.json'; +import rule90 from './network_sql_server_port_activity_to_the_internet.json'; +import rule91 from './network_ssh_secure_shell_from_the_internet.json'; +import rule92 from './network_ssh_secure_shell_to_the_internet.json'; +import rule93 from './network_telnet_port_activity.json'; +import rule94 from './network_tor_activity_to_the_internet.json'; +import rule95 from './network_vnc_virtual_network_computing_from_the_internet.json'; +import rule96 from './network_vnc_virtual_network_computing_to_the_internet.json'; +import rule97 from './null_user_agent.json'; +import rule98 from './powershell_network_connection.json'; +import rule99 from './process_execution_via_wmi.json'; +import rule100 from './process_started_by_acrobat_reader_possible_payload.json'; +import rule101 from './process_started_by_ms_office_program_possible_payload.json'; +import rule102 from './process_started_by_windows_defender.json'; +import rule103 from './psexec_activity.json'; +import rule104 from './search_windows_10.json'; +import rule105 from './splunk_child_processes_of_spoolsvexe.json'; +import rule106 from './splunk_detect_large_outbound_icmp_packets.json'; +import rule107 from './splunk_detect_long_dns_txt_record_response.json'; +import rule108 from './splunk_detect_new_local_admin_account.json'; +import rule109 from './splunk_detect_psexec_with_accepteula_flag.json'; +import rule110 from './splunk_detect_use_of_cmdexe_to_launch_script_interpreters.json'; +import rule111 from './splunk_processes_created_by_netsh.json'; +import rule112 from './splunk_processes_launching_netsh.json'; +import rule113 from './splunk_protocols_passing_authentication_in_cleartext.json'; +import rule114 from './splunk_windows_event_log_cleared.json'; +import rule115 from './sqlmap_user_agent.json'; +import rule116 from './suricata_base64_encoded_invokecommand_powershell_execution.json'; +import rule117 from './suricata_base64_encoded_newobject_powershell_execution.json'; +import rule118 from './suricata_base64_encoded_startprocess_powershell_execution.json'; +import rule119 from './suricata_category_a_suspicious_string_was_detected.json'; +import rule120 from './suricata_category_attempted_administrator_privilege_gain.json'; +import rule121 from './suricata_category_attempted_denial_of_service.json'; +import rule122 from './suricata_category_attempted_information_leak.json'; +import rule123 from './suricata_category_attempted_login_with_suspicious_username.json'; +import rule124 from './suricata_category_attempted_user_privilege_gain.json'; +import rule125 from './suricata_category_client_using_unusual_port.json'; +import rule126 from './suricata_category_crypto_currency_mining_activity.json'; +import rule127 from './suricata_category_decode_of_an_rpc_query.json'; +import rule128 from './suricata_category_default_username_and_password_login_attempt.json'; +import rule129 from './suricata_category_denial_of_service.json'; +import rule130 from './suricata_category_denial_of_service_attack.json'; +import rule131 from './suricata_category_executable_code_was_detected.json'; +import rule132 from './suricata_category_exploit_kit_activity.json'; +import rule133 from './suricata_category_external_ip_address_retrieval.json'; +import rule134 from './suricata_category_generic_icmp_event.json'; +import rule135 from './suricata_category_generic_protocol_command_decode.json'; +import rule136 from './suricata_category_information_leak.json'; +import rule137 from './suricata_category_large_scale_information_leak.json'; +import rule138 from './suricata_category_malware_command_and_control_activity.json'; +import rule139 from './suricata_category_misc_activity.json'; +import rule140 from './suricata_category_misc_attack.json'; +import rule141 from './suricata_category_network_scan_detected.json'; +import rule142 from './suricata_category_network_trojan_detected.json'; +import rule143 from './suricata_category_nonstandard_protocol_or_event.json'; +import rule144 from './suricata_category_not_suspicious_traffic.json'; +import rule145 from './suricata_category_observed_c2_domain.json'; +import rule146 from './suricata_category_possible_social_engineering_attempted.json'; +import rule147 from './suricata_category_possibly_unwanted_program.json'; +import rule148 from './suricata_category_potential_corporate_privacy_violation.json'; +import rule149 from './suricata_category_potentially_bad_traffic.json'; +import rule150 from './suricata_category_potentially_vulnerable_web_application_access.json'; +import rule151 from './suricata_category_successful_administrator_privilege_gain.json'; +import rule152 from './suricata_category_successful_credential_theft.json'; +import rule153 from './suricata_category_successful_user_privilege_gain.json'; +import rule154 from './suricata_category_suspicious_filename_detected.json'; +import rule155 from './suricata_category_system_call_detected.json'; +import rule156 from './suricata_category_targeted_malicious_activity.json'; +import rule157 from './suricata_category_tcp_connection_detected.json'; +import rule158 from './suricata_category_unknown_traffic.json'; +import rule159 from './suricata_category_unsuccessful_user_privilege_gain.json'; +import rule160 from './suricata_category_web_application_attack.json'; +import rule161 from './suricata_cobaltstrike_artifact_in_an_dns_request.json'; +import rule162 from './suricata_commonly_abused_dns_domain_detected.json'; +import rule163 from './suricata_directory_reversal_characters_in_an_http_request.json'; +import rule164 from './suricata_directory_traversal_characters_in_an_http_request.json'; +import rule165 from './suricata_directory_traversal_characters_in_http_response.json'; +import rule166 from './suricata_directory_traversal_in_downloaded_zip_file.json'; +import rule167 from './suricata_dns_traffic_on_unusual_tcp_port.json'; +import rule168 from './suricata_dns_traffic_on_unusual_udp_port.json'; +import rule169 from './suricata_double_encoded_characters_in_a_uri.json'; +import rule170 from './suricata_double_encoded_characters_in_an_http_post.json'; +import rule171 from './suricata_double_encoded_characters_in_http_request.json'; +import rule172 from './suricata_eval_php_function_in_an_http_request.json'; +import rule173 from './suricata_exploit_cve_2018_1000861.json'; +import rule174 from './suricata_exploit_cve_2019_0227.json'; +import rule175 from './suricata_exploit_cve_2019_0232.json'; +import rule176 from './suricata_exploit_cve_2019_0604.json'; +import rule177 from './suricata_exploit_cve_2019_0708.json'; +import rule178 from './suricata_exploit_cve_2019_0752.json'; +import rule179 from './suricata_exploit_cve_2019_1003000.json'; +import rule180 from './suricata_exploit_cve_2019_10149.json'; +import rule181 from './suricata_exploit_cve_2019_11043.json'; +import rule182 from './suricata_exploit_cve_2019_11510.json'; +import rule183 from './suricata_exploit_cve_2019_11580.json'; +import rule184 from './suricata_exploit_cve_2019_11581.json'; +import rule185 from './suricata_exploit_cve_2019_13450.json'; +import rule186 from './suricata_exploit_cve_2019_13505.json'; +import rule187 from './suricata_exploit_cve_2019_15107.json'; +import rule188 from './suricata_exploit_cve_2019_15846.json'; +import rule189 from './suricata_exploit_cve_2019_16072.json'; +import rule190 from './suricata_exploit_cve_2019_1652.json'; +import rule191 from './suricata_exploit_cve_2019_16662.json'; +import rule192 from './suricata_exploit_cve_2019_16759.json'; +import rule193 from './suricata_exploit_cve_2019_16928.json'; +import rule194 from './suricata_exploit_cve_2019_17270.json'; +import rule195 from './suricata_exploit_cve_2019_1821.json'; +import rule196 from './suricata_exploit_cve_2019_19781.json'; +import rule197 from './suricata_exploit_cve_2019_2618.json'; +import rule198 from './suricata_exploit_cve_2019_2725.json'; +import rule199 from './suricata_exploit_cve_2019_3396.json'; +import rule200 from './suricata_exploit_cve_2019_3929.json'; +import rule201 from './suricata_exploit_cve_2019_5533.json'; +import rule202 from './suricata_exploit_cve_2019_6340.json'; +import rule203 from './suricata_exploit_cve_2019_7256.json'; +import rule204 from './suricata_exploit_cve_2019_9978.json'; +import rule205 from './suricata_ftp_traffic_on_unusual_port_internet_destination.json'; +import rule206 from './suricata_http_traffic_on_unusual_port_internet_destination.json'; +import rule207 from './suricata_imap_traffic_on_unusual_port_internet_destination.json'; +import rule208 from './suricata_lazagne_artifact_in_an_http_post.json'; +import rule209 from './suricata_mimikatz_artifacts_in_an_http_post.json'; +import rule210 from './suricata_mimikatz_string_detected_in_http_response.json'; +import rule211 from './suricata_nondns_traffic_on_tcp_port_53.json'; +import rule212 from './suricata_nondns_traffic_on_udp_port_53.json'; +import rule213 from './suricata_nonftp_traffic_on_port_21.json'; +import rule214 from './suricata_nonhttp_traffic_on_tcp_port_80.json'; +import rule215 from './suricata_nonimap_traffic_on_port_1443_imap.json'; +import rule216 from './suricata_nonsmb_traffic_on_tcp_port_139_smb.json'; +import rule217 from './suricata_nonssh_traffic_on_port_22.json'; +import rule218 from './suricata_nontls_on_tls_port.json'; +import rule219 from './suricata_possible_cobalt_strike_malleable_c2_null_response.json'; +import rule220 from './suricata_possible_sql_injection_sql_commands_in_http_transactions.json'; +import rule221 from './suricata_rpc_traffic_on_http_ports.json'; +import rule222 from './suricata_serialized_php_detected.json'; +import rule223 from './suricata_shell_exec_php_function_in_an_http_post.json'; +import rule224 from './suricata_ssh_traffic_not_on_port_22_internet_destination.json'; +import rule225 from './suricata_tls_traffic_on_unusual_port_internet_destination.json'; +import rule226 from './suricata_windows_executable_served_by_jpeg_web_content.json'; +import rule227 from './suspicious_process_started_by_a_script.json'; +import rule228 from './windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json'; +import rule229 from './windows_burp_ce_activity.json'; +import rule230 from './windows_certutil_connecting_to_the_internet.json'; +import rule231 from './windows_command_prompt_connecting_to_the_internet.json'; +import rule232 from './windows_command_shell_started_by_internet_explorer.json'; +import rule233 from './windows_command_shell_started_by_powershell.json'; +import rule234 from './windows_command_shell_started_by_svchost.json'; +import rule235 from './windows_credential_dumping_commands.json'; +import rule236 from './windows_credential_dumping_via_imageload.json'; +import rule237 from './windows_credential_dumping_via_registry_save.json'; +import rule238 from './windows_data_compression_using_powershell.json'; +import rule239 from './windows_defense_evasion_decoding_using_certutil.json'; +import rule240 from './windows_defense_evasion_or_persistence_via_hidden_files.json'; +import rule241 from './windows_defense_evasion_via_filter_manager.json'; +import rule242 from './windows_defense_evasion_via_windows_event_log_tools.json'; +import rule243 from './windows_execution_via_compiled_html_file.json'; +import rule244 from './windows_execution_via_connection_manager.json'; +import rule245 from './windows_execution_via_microsoft_html_application_hta.json'; +import rule246 from './windows_execution_via_net_com_assemblies.json'; +import rule247 from './windows_execution_via_regsvr32.json'; +import rule248 from './windows_execution_via_trusted_developer_utilities.json'; +import rule249 from './windows_html_help_executable_program_connecting_to_the_internet.json'; +import rule250 from './windows_image_load_from_a_temp_directory.json'; import rule251 from './windows_indirect_command_execution.json'; -import rule252 from './network_ssh_secure_shell_from_the_internet.json'; -import rule253 from './windows_html_help_executable_program_connecting_to_the_internet.json'; -import rule254 from './suricata_windows_executable_served_by_jpeg_web_content.json'; -import rule255 from './network_dns_directly_to_the_internet.json'; -import rule256 from './windows_defense_evasion_via_windows_event_log_tools.json'; -import rule257 from './suricata_nondns_traffic_on_tcp_port_53.json'; -import rule258 from './windows_persistence_via_netshell_helper_dll.json'; -import rule259 from './windows_script_interpreter_connecting_to_the_internet.json'; -import rule260 from './windows_defense_evasion_decoding_using_certutil.json'; -import rule261 from './linux_shell_activity_by_web_server.json'; -import rule262 from './linux_ldso_process_activity.json'; -import rule263 from './windows_mimikatz_activity.json'; -import rule264 from './suricata_nonssh_traffic_on_port_22.json'; -import rule265 from './windows_data_compression_using_powershell.json'; -import rule266 from './windows_nmap_scan_activity.json'; -import rule267 from './splunk_windows_event_log_cleared.json'; -import rule268 from './splunk_detect_long_dns_txt_record_response.json'; -import rule269 from './splunk_processes_launching_netsh.json'; -import rule270 from './splunk_detect_large_outbound_icmp_packets.json'; -import rule271 from './splunk_detect_new_local_admin_account.json'; -import rule272 from './splunk_protocols_passing_authentication_in_cleartext.json'; -import rule273 from './splunk_detect_use_of_cmdexe_to_launch_script_interpreters.json'; -import rule274 from './splunk_child_processes_of_spoolsvexe.json'; -import rule275 from './splunk_detect_psexec_with_accepteula_flag.json'; -import rule276 from './splunk_processes_created_by_netsh.json'; -import rule277 from './process_execution_via_wmi.json'; - +import rule252 from './windows_iodine_activity.json'; +import rule253 from './windows_management_instrumentation_wmi_execution.json'; +import rule254 from './windows_microsoft_html_application_hta_connecting_to_the_internet.json'; +import rule255 from './windows_mimikatz_activity.json'; +import rule256 from './windows_misc_lolbin_connecting_to_the_internet.json'; +import rule257 from './windows_net_command_activity_by_the_system_account.json'; +import rule258 from './windows_net_user_command_activity.json'; +import rule259 from './windows_netcat_activity.json'; +import rule260 from './windows_netcat_network_activity.json'; +import rule261 from './windows_network_anomalous_windows_process_using_https_ports.json'; +import rule262 from './windows_nmap_activity.json'; +import rule263 from './windows_nmap_scan_activity.json'; +import rule264 from './windows_payload_obfuscation_via_certutil.json'; +import rule265 from './windows_persistence_or_priv_escalation_via_hooking.json'; +import rule266 from './windows_persistence_via_application_shimming.json'; +import rule267 from './windows_persistence_via_bits_jobs.json'; +import rule268 from './windows_persistence_via_modification_of_existing_service.json'; +import rule269 from './windows_persistence_via_netshell_helper_dll.json'; +import rule270 from './windows_powershell_connecting_to_the_internet.json'; +import rule271 from './windows_priv_escalation_via_accessibility_features.json'; +import rule272 from './windows_process_discovery_via_tasklist_command.json'; +import rule273 from './windows_process_execution_via_wmi.json'; +import rule274 from './windows_process_started_by_acrobat_reader_possible_payload.json'; +import rule275 from './windows_process_started_by_ms_office_program_possible_payload.json'; +import rule276 from './windows_process_started_by_the_java_runtime.json'; +import rule277 from './windows_psexec_activity.json'; +import rule278 from './windows_register_server_program_connecting_to_the_internet.json'; +import rule279 from './windows_registry_query_local.json'; +import rule280 from './windows_registry_query_network.json'; +import rule281 from './windows_remote_management_execution.json'; +import rule282 from './windows_scheduled_task_activity.json'; +import rule283 from './windows_script_interpreter_connecting_to_the_internet.json'; +import rule284 from './windows_signed_binary_proxy_execution.json'; +import rule285 from './windows_signed_binary_proxy_execution_download.json'; +import rule286 from './windows_suspicious_process_started_by_a_script.json'; +import rule287 from './windows_whoami_command_activity.json'; +import rule288 from './windows_windump_activity.json'; +import rule289 from './windows_wireshark_activity.json'; +import rule290 from './windump_activity.json'; +import rule291 from './zeek_notice_capturelosstoo_much_loss.json'; +import rule292 from './zeek_notice_conncontent_gap.json'; +import rule293 from './zeek_notice_connretransmission_inconsistency.json'; +import rule294 from './zeek_notice_dnsexternal_name.json'; +import rule295 from './zeek_notice_ftpbruteforcing.json'; +import rule296 from './zeek_notice_ftpsite_exec_success.json'; +import rule297 from './zeek_notice_heartbleedssl_heartbeat_attack.json'; +import rule298 from './zeek_notice_heartbleedssl_heartbeat_attack_success.json'; +import rule299 from './zeek_notice_heartbleedssl_heartbeat_many_requests.json'; +import rule300 from './zeek_notice_heartbleedssl_heartbeat_odd_length.json'; +import rule301 from './zeek_notice_httpsql_injection_attacker.json'; +import rule302 from './zeek_notice_httpsql_injection_victim.json'; +import rule303 from './zeek_notice_intelnotice.json'; +import rule304 from './zeek_notice_noticetally.json'; +import rule305 from './zeek_notice_packetfiltercannot_bpf_shunt_conn.json'; +import rule306 from './zeek_notice_packetfiltercompile_failure.json'; +import rule307 from './zeek_notice_packetfilterdropped_packets.json'; +import rule308 from './zeek_notice_packetfilterinstall_failure.json'; +import rule309 from './zeek_notice_packetfilterno_more_conn_shunts_available.json'; +import rule310 from './zeek_notice_packetfiltertoo_long_to_compile_filter.json'; +import rule311 from './zeek_notice_protocoldetectorprotocol_found.json'; +import rule312 from './zeek_notice_protocoldetectorserver_found.json'; +import rule313 from './zeek_notice_scanaddress_scan.json'; +import rule314 from './zeek_notice_scanport_scan.json'; +import rule315 from './zeek_notice_signaturescount_signature.json'; +import rule316 from './zeek_notice_signaturesmultiple_sig_responders.json'; +import rule317 from './zeek_notice_signaturesmultiple_signatures.json'; +import rule318 from './zeek_notice_signaturessensitive_signature.json'; +import rule319 from './zeek_notice_signaturessignature_summary.json'; +import rule320 from './zeek_notice_smtpblocklist_blocked_host.json'; +import rule321 from './zeek_notice_smtpblocklist_error_message.json'; +import rule322 from './zeek_notice_smtpsuspicious_origination.json'; +import rule323 from './zeek_notice_softwaresoftware_version_change.json'; +import rule324 from './zeek_notice_softwarevulnerable_version.json'; +import rule325 from './zeek_notice_sshinteresting_hostname_login.json'; +import rule326 from './zeek_notice_sshlogin_by_password_guesser.json'; +import rule327 from './zeek_notice_sshpassword_guessing.json'; +import rule328 from './zeek_notice_sshwatched_country_login.json'; +import rule329 from './zeek_notice_sslcertificate_expired.json'; +import rule330 from './zeek_notice_sslcertificate_expires_soon.json'; +import rule331 from './zeek_notice_sslcertificate_not_valid_yet.json'; +import rule332 from './zeek_notice_sslinvalid_ocsp_response.json'; +import rule333 from './zeek_notice_sslinvalid_server_cert.json'; +import rule334 from './zeek_notice_sslold_version.json'; +import rule335 from './zeek_notice_sslweak_cipher.json'; +import rule336 from './zeek_notice_sslweak_key.json'; +import rule337 from './zeek_notice_teamcymrumalwarehashregistrymatch.json'; +import rule338 from './zeek_notice_traceroutedetected.json'; +import rule339 from './zeek_notice_weirdactivity.json'; export const rawRules = [ rule1, rule2, @@ -563,4 +624,66 @@ export const rawRules = [ rule275, rule276, rule277, + rule278, + rule279, + rule280, + rule281, + rule282, + rule283, + rule284, + rule285, + rule286, + rule287, + rule288, + rule289, + rule290, + rule291, + rule292, + rule293, + rule294, + rule295, + rule296, + rule297, + rule298, + rule299, + rule300, + rule301, + rule302, + rule303, + rule304, + rule305, + rule306, + rule307, + rule308, + rule309, + rule310, + rule311, + rule312, + rule313, + rule314, + rule315, + rule316, + rule317, + rule318, + rule319, + rule320, + rule321, + rule322, + rule323, + rule324, + rule325, + rule326, + rule327, + rule328, + rule329, + rule330, + rule331, + rule332, + rule333, + rule334, + rule335, + rule336, + rule337, + rule338, + rule339, ]; diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json index 92308283717a54..b42e4130b688cf 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json @@ -1,68 +1,16 @@ { - "rule_id": "90169566-2260-4824-b8e4-8615c3b4ed52", - "risk_score": 50, "description": "Linux: Hping Activity", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Linux: Hping Activity", + "query": "process.name: hping and event.action:executed", + "risk_score": 50, + "rule_id": "90169566-2260-4824-b8e4-8615c3b4ed52", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name: hping", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "process_started", - "params": { - "query": "process_started" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "process_started", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - }, - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.dataset", - "value": "process", - "params": { - "query": "process" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index" - }, - "query": { - "match": { - "event.dataset": { - "query": "process", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json index ded4b72fcbfc48..1eb66c39571d75 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json @@ -1,68 +1,16 @@ { - "rule_id": "041d4d41-9589-43e2-ba13-5680af75ebc2", - "risk_score": 50, "description": "Linux: Iodine Activity", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Linux: Iodine Activity", + "query": "process.name: (iodine or iodined) and event.action:executed", + "risk_score": 50, + "rule_id": "041d4d41-9589-43e2-ba13-5680af75ebc2", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name: (iodine or iodined)", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.dataset", - "value": "process", - "params": { - "query": "process" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.dataset": { - "query": "process", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - }, - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "process_started", - "params": { - "query": "process_started" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "process_started", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_java_process_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_java_process_connecting_to_the_internet.json index aba4954e3552a6..57f37e34ad4d5f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_java_process_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_java_process_connecting_to_the_internet.json @@ -1,29 +1,22 @@ { - "rule_id": "7f65b8c5-27ed-4cf6-a088-3a20d2f84bf5", - "risk_score": 50, "description": "Linux: Java Process Connecting to the Internet", - "immutable": true, - "interval": "5m", - "name": "Linux: Java Process Connecting to the Internet", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", - "query": "not destination.ip: 10.0.0.0/8 and not 172.16.0.0/12", - "language": "kuery", + "enabled": false, "filters": [ { + "$state": { + "store": "appState" + }, "meta": { - "negate": false, - "type": "phrase", + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "key": "process.name", - "value": "java", + "negate": false, "params": { "query": "java" }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" + "type": "phrase", + "value": "java" }, "query": { "match": { @@ -32,23 +25,23 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } }, { + "$state": { + "store": "appState" + }, "meta": { - "negate": false, - "type": "phrase", + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "key": "event.action", - "value": "socket_opened", + "negate": false, "params": { "query": "socket_opened" }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index" + "type": "phrase", + "value": "socket_opened" }, "query": { "match": { @@ -57,23 +50,23 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } }, { + "$state": { + "store": "appState" + }, "meta": { - "negate": true, - "type": "phrase", + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", "key": "destination.ip", - "value": "127.0.0.1", + "negate": true, "params": { "query": "127.0.0.1" }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index" + "type": "phrase", + "value": "127.0.0.1" }, "query": { "match": { @@ -82,23 +75,23 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } }, { + "$state": { + "store": "appState" + }, "meta": { - "negate": true, - "type": "phrase", + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", "key": "destination.ip", - "value": "::1", + "negate": true, "params": { "query": "::1" }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index" + "type": "phrase", + "value": "::1" }, "query": { "match": { @@ -107,12 +100,19 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } } ], - "enabled": false, + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Linux: Java Process Connecting to the Internet", + "query": "not destination.ip: 10.0.0.0/8 and not 172.16.0.0/12", + "risk_score": 50, + "rule_id": "7f65b8c5-27ed-4cf6-a088-3a20d2f84bf5", + "severity": "low", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json index 4564d1afccf79c..90864f1ab8ab9f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json @@ -1,68 +1,16 @@ { - "rule_id": "81cc58f5-8062-49a2-ba84-5cc4b4d31c40", - "risk_score": 50, "description": "Linux: Kernel Module Activity", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Linux: Kernel Module Activity", + "query": "process.name: (insmod or kmod or modprobe or rmod) and event.action:executed", + "risk_score": 50, + "rule_id": "81cc58f5-8062-49a2-ba84-5cc4b4d31c40", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name: (insmod or kmod or modprobe or rmod)", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.dataset", - "value": "process", - "params": { - "query": "process" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.dataset": { - "query": "process", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - }, - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "process_started", - "params": { - "query": "process_started" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "process_started", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ldso_process_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ldso_process_activity.json index 2db76834061b96..174e246fa70d98 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ldso_process_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ldso_process_activity.json @@ -1,17 +1,17 @@ { - "rule_id": "3f31a31c-f7cf-4268-a0df-ec1a98099e7f", - "risk_score": 50, "description": "Linux ld.so process activity", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Linux ld.so process activity", + "query": "process.name:ld.so and event.action:executed", + "risk_score": 50, + "rule_id": "3f31a31c-f7cf-4268-a0df-ec1a98099e7f", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:ld.so", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity.json new file mode 100644 index 00000000000000..77953240c21859 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity.json @@ -0,0 +1,17 @@ +{ + "description": "Linux lzop activity - possible @JulianRunnels", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Linux lzop activity", + "query": "process.name:lzop and event.action:executed", + "risk_score": 50, + "rule_id": "d7359214-54a4-4572-9e51-ebf79cda9b04", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity_possible_julianrunnels.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity_possible_julianrunnels.json index 5b3a978813b79f..62203b6c42a5a5 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity_possible_julianrunnels.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity_possible_julianrunnels.json @@ -1,17 +1,17 @@ { - "rule_id": "d89b05b1-9b2b-45ea-9876-4a74550af6a6", - "risk_score": 50, "description": "Linux lzop activity - possible @JulianRunnels", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Linux lzop activity - possible @JulianRunnels", + "query": "process.name:lzop", + "risk_score": 50, + "rule_id": "d89b05b1-9b2b-45ea-9876-4a74550af6a6", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:lzop", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json index 04ddc409c1efe7..08940115207413 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json @@ -1,68 +1,16 @@ { - "rule_id": "61c31c14-507f-4627-8c31-072556b89a9c", - "risk_score": 50, "description": "Linux: Mknod Activity", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Linux: Mknod Activity", + "query": "process.name: mknod and event.action:executed", + "risk_score": 50, + "rule_id": "61c31c14-507f-4627-8c31-072556b89a9c", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name: mknod", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "process_started", - "params": { - "query": "process_started" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "process_started", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - }, - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.dataset", - "value": "process", - "params": { - "query": "process" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index" - }, - "query": { - "match": { - "event.dataset": { - "query": "process", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json index 1ba35bec8f5174..d324a4f64cbbad 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json @@ -1,93 +1,16 @@ { - "rule_id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f", - "risk_score": 50, "description": "Linux: Netcat Network Connection", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", - "name": "Linux: Netcat Network Connection", + "language": "kuery", + "name": "Linux: Netcat Network Activity", + "query": "process.name: (nc or ncat or netcat or netcat.openbsd or netcat.traditional) and event.action: (connected-to or bound-socket or socket_opened)", + "risk_score": 50, + "rule_id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name: (nc or ncat or netcat or netcat.openbsd or netcat.traditional)", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "socket_opened", - "params": { - "query": "socket_opened" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "socket_opened", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - }, - { - "meta": { - "negate": true, - "type": "phrase", - "key": "destination.ip", - "value": "127.0.0.1", - "params": { - "query": "127.0.0.1" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index" - }, - "query": { - "match": { - "destination.ip": { - "query": "127.0.0.1", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - }, - { - "meta": { - "negate": true, - "type": "phrase", - "key": "destination.ip", - "value": "::1", - "params": { - "query": "::1" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index" - }, - "query": { - "match": { - "destination.ip": { - "query": "::1", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_network_anomalous_process_using_https_ports.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_network_anomalous_process_using_https_ports.json index d5bf37daab0f48..d04f6610f450d4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_network_anomalous_process_using_https_ports.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_network_anomalous_process_using_https_ports.json @@ -1,17 +1,17 @@ { - "rule_id": "be40c674-1799-4a00-934d-0b2d54495913", - "risk_score": 50, "description": "Linux Network - Anomalous Process Using HTTP/S Ports", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Linux Network - Anomalous Process Using HTTP/S Ports", + "query": "(destination.port:443 or destination.port:80) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16 and not process.name:curl and not process.name:http and not process.name:https and not process.name:nginx and not process.name:packetbeat and not process.name:python2 and not process.name:snapd and not process.name:wget", + "risk_score": 50, + "rule_id": "be40c674-1799-4a00-934d-0b2d54495913", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "(destination.port:443 or destination.port:80) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16 and not process.name:curl and not process.name:http and not process.name:https and not process.name:nginx and not process.name:packetbeat and not process.name:python2 and not process.name:snapd and not process.name:wget", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json index 430d6b6984d6cd..cb89fdc6ebbff5 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json @@ -1,68 +1,16 @@ { - "rule_id": "c87fca17-b3a9-4e83-b545-f30746c53920", - "risk_score": 50, "description": "Linux: Nmap Activity", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Linux: Nmap Activity", + "query": "process.name: nmap", + "risk_score": 50, + "rule_id": "c87fca17-b3a9-4e83-b545-f30746c53920", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name: nmap", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.dataset", - "value": "process", - "params": { - "query": "process" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.dataset": { - "query": "process", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - }, - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "process_started", - "params": { - "query": "process_started" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "process_started", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json index a87f42f1774bf0..b5508c388059cc 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json @@ -1,68 +1,16 @@ { - "rule_id": "0d69150b-96f8-467c-a86d-a67a3378ce77", - "risk_score": 50, "description": "Linux: Nping Activity", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Linux: Nping Activity", + "query": "process.name: nping and event.action:executed", + "risk_score": 50, + "rule_id": "0d69150b-96f8-467c-a86d-a67a3378ce77", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name: nmap", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.dataset", - "value": "process", - "params": { - "query": "process" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.dataset": { - "query": "process", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - }, - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "process_started", - "params": { - "query": "process_started" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "process_started", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json index 2a83ff8c5d2c66..d9d409feae4735 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json @@ -1,68 +1,16 @@ { - "rule_id": "df959768-b0c9-4d45-988c-5606a2be8e5a", - "risk_score": 50, "description": "Linux: Process Started in Temp Directory", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Linux: Process Started in Temp Directory", + "query": "process.working_directory: /tmp and event.action:executed", + "risk_score": 50, + "rule_id": "df959768-b0c9-4d45-988c-5606a2be8e5a", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.working_directory: /tmp", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.dataset", - "value": "process", - "params": { - "query": "process" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.dataset": { - "query": "process", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - }, - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "process_started", - "params": { - "query": "process_started" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "process_started", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ptrace_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ptrace_activity.json index 0ac4365ae8b7ea..47ae28cf8ea4c0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ptrace_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ptrace_activity.json @@ -1,43 +1,16 @@ { - "rule_id": "1bff9259-e160-4920-bf72-4c96b6dbb7af", - "risk_score": 50, "description": "Linux: Ptrace Activity", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Linux: Ptrace Activity", + "query": "process.name: ptrace and event.action:executed", + "risk_score": 50, + "rule_id": "1bff9259-e160-4920-bf72-4c96b6dbb7af", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name: ptrace", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "process_started", - "params": { - "query": "process_started" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "process_started", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_rawshark_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_rawshark_activity.json index ff74ba8e51b87a..d4924cab7048fc 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_rawshark_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_rawshark_activity.json @@ -1,68 +1,16 @@ { - "rule_id": "30eb2b9d-b53b-4ba5-bfab-7119a8b84029", - "risk_score": 50, "description": "Linux: Rawshark Activity", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Linux: Rawshark Activity", + "query": "process.name: rawshark and event.action:executed", + "risk_score": 50, + "rule_id": "30eb2b9d-b53b-4ba5-bfab-7119a8b84029", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name: rawshark", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "process_started", - "params": { - "query": "process_started" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "process_started", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - }, - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.dataset", - "value": "process", - "params": { - "query": "process" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index" - }, - "query": { - "match": { - "event.dataset": { - "query": "process", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json index 7499f6bc17ac16..d533f5d4ec3f64 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json @@ -1,17 +1,17 @@ { - "rule_id": "231876e7-4d1f-4d63-a47c-47dd1acdc1cb", - "risk_score": 50, "description": "Linux: Shell Activity By Web Server", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Linux: Shell Activity By Web Server", + "query": "process.name: bash and (user.name: apache or www) and event.action:executed", + "risk_score": 50, + "rule_id": "231876e7-4d1f-4d63-a47c-47dd1acdc1cb", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name: bash and (user.name: apache or www)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json new file mode 100644 index 00000000000000..2ea860e0619587 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json @@ -0,0 +1,16 @@ +{ + "description": "Linux: socat activity", + "enabled": false, + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Linux: Whoami Commmand", + "query": "process.name:socat and not process.args:\"-V\" and event.action:executed", + "risk_score": 50, + "rule_id": "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json new file mode 100644 index 00000000000000..38562320921b4d --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json @@ -0,0 +1,19 @@ +{ + "description": "Detect ssh processes with the `-R` flag which can be used to forward a port on a local system to the local system so that someone on the remote system can connect to the local system. This is often used by attackers to create encrypted tunnels through firewalls for pivoting and persistence.", + "enabled": false, + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Linux: SSH Port Forwarding", + "query": "process.name:ssh and process.args:\"-R\" and event.action:executed", + "references": [ + " - https://www.ssh.com/ssh/tunneling,https://www.ssh.com/ssh/tunneling/example,https://attack.mitre.org/techniques/T1184/" + ], + "risk_score": 50, + "rule_id": "45d256ab-e665-445b-8306-2f83a8db59f8", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json index 5c813fbb62eb7e..dc0eae38d20c65 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json @@ -1,68 +1,16 @@ { - "rule_id": "d6450d4e-81c6-46a3-bd94-079886318ed5", - "risk_score": 50, "description": "Linux: Strace Activity", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Linux: Strace Activity", + "query": "process.name: strace and event.action:executed", + "risk_score": 50, + "rule_id": "d6450d4e-81c6-46a3-bd94-079886318ed5", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name: strace", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.dataset", - "value": "process", - "params": { - "query": "process" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.dataset": { - "query": "process", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - }, - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "process_started", - "params": { - "query": "process_started" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "process_started", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json index 1df4ad8b469b91..f7b543fef75f5e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json @@ -1,43 +1,16 @@ { - "rule_id": "7a137d76-ce3d-48e2-947d-2747796a78c0", - "risk_score": 50, "description": "Linux: Tcpdump Activity", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Linux: Tcpdump Activity", + "query": "process.name: tcpdump and event.action:executed", + "risk_score": 50, + "rule_id": "7a137d76-ce3d-48e2-947d-2747796a78c0", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name: tcpdump", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "process_started", - "params": { - "query": "process_started" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "process_started", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_unusual_shell_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_unusual_shell_activity.json index efa84c22f928c8..a63b2ea7dc5221 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_unusual_shell_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_unusual_shell_activity.json @@ -1,29 +1,22 @@ { - "rule_id": "4cc78842-f8a9-4a20-b703-a596c4f24e4f", - "risk_score": 50, "description": "Linux unusual shell activity", - "immutable": true, - "interval": "5m", - "name": "Linux unusual shell activity", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", - "query": "process.name:*sh", - "language": "kuery", + "enabled": false, "filters": [ { + "$state": { + "store": "appState" + }, "meta": { - "negate": true, - "type": "phrase", + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "key": "process.name", - "value": "bash", + "negate": true, "params": { "query": "bash" }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" + "type": "phrase", + "value": "bash" }, "query": { "match": { @@ -32,23 +25,23 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } }, { + "$state": { + "store": "appState" + }, "meta": { - "negate": true, - "type": "phrase", + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "key": "process.executable", - "value": "/bin/dash", + "negate": true, "params": { "query": "/bin/dash" }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index" + "type": "phrase", + "value": "/bin/dash" }, "query": { "match": { @@ -57,23 +50,23 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } }, { + "$state": { + "store": "appState" + }, "meta": { - "negate": true, - "type": "phrase", + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", "key": "process.name", - "value": "ReportCrash", + "negate": true, "params": { "query": "ReportCrash" }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index" + "type": "phrase", + "value": "ReportCrash" }, "query": { "match": { @@ -82,12 +75,19 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } } ], - "enabled": false, + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Linux unusual shell activity", + "query": "process.name:*sh", + "risk_score": 50, + "rule_id": "4cc78842-f8a9-4a20-b703-a596c4f24e4f", + "severity": "low", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_web_download.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_web_download.json index d9ee2ccc98f109..876a3fef7aa091 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_web_download.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_web_download.json @@ -1,43 +1,16 @@ { - "rule_id": "e8ec93a6-49d2-4467-8c12-81c435fcc519", - "risk_score": 50, "description": "Linux: Web Download", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Linux: Web Download", + "query": "process.name: (curl or wget) and event.action:executed", + "risk_score": 50, + "rule_id": "e8ec93a6-49d2-4467-8c12-81c435fcc519", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name: curl or wget", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "socket_opened", - "params": { - "query": "socket_opened" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "socket_opened", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json index 47c01778786c27..56a2782eb0cca0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json @@ -1,68 +1,16 @@ { - "rule_id": "120559c6-5e24-49f4-9e30-8ffe697df6b9", - "risk_score": 50, "description": "Linux: Whoami Commmand", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Linux: Whoami Commmand", + "query": "process.name: whoami and event.action:executed", + "risk_score": 50, + "rule_id": "120559c6-5e24-49f4-9e30-8ffe697df6b9", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name: whoami", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "process_started", - "params": { - "query": "process_started" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "process_started", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - }, - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.dataset", - "value": "process", - "params": { - "query": "process" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index" - }, - "query": { - "match": { - "event.dataset": { - "query": "process", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json index 3dfbb508b897f8..1a3c3c003b532c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "6ea71ff0-9e95-475b-9506-2580d1ce6154", - "risk_score": 50, "description": "Network - DNS Directly to the Internet\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - DNS Directly to the Internet\t", + "query": "destination.port:53 and not destination.ip: 169.254.169.254/32 and not destination.ip:127.0.0.53/32 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "6ea71ff0-9e95-475b-9506-2580d1ce6154", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "destination.port:53 and not destination.ip: 169.254.169.254/32 and not destination.ip:127.0.0.53/32 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json index 7462fd445d1ec1..99a126f0613ec0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "87ec6396-9ac4-4706-bcf0-2ebb22002f43", - "risk_score": 50, "description": "Network - FTP (File Transfer Protocol) Activity to the Internet\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - FTP (File Transfer Protocol) Activity to the Internet\t", + "query": "(destination.port:20 or destination.port:21) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "87ec6396-9ac4-4706-bcf0-2ebb22002f43", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "(destination.port:20 or destination.port:21) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json index 00976ea21cd44b..79814eb552d5ba 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "c6474c34-4953-447a-903e-9fcb7b6661aa", - "risk_score": 50, "description": "Network - IRC (Internet Relay Chat) Protocol Activity to the Internet\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - IRC (Internet Relay Chat) Protocol Activity to the Internet\t", + "query": "(destination.port:20 or destination.port:21) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "c6474c34-4953-447a-903e-9fcb7b6661aa", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "(destination.port:20 or destination.port:21) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json index 6363dd7529cd6e..d370773e3879f8 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json @@ -1,17 +1,17 @@ { - "rule_id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7", - "risk_score": 50, "description": "Network - NAT Traversal Port Activity\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - NAT Traversal Port Activity\t", + "query": "destination.port:4500", + "risk_score": 50, + "rule_id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "destination.port:4500", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json index bda9984167718f..cfdb5e6584ee37 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json @@ -1,17 +1,17 @@ { - "rule_id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d", - "risk_score": 50, "description": "Network - Port 26 Activity\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - Port 26 Activity\t", + "query": "destination.port:26", + "risk_score": 50, + "rule_id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "destination.port:26", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity.json index efd92f988fd2bc..218109b73221d6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity.json @@ -1,17 +1,17 @@ { - "rule_id": "9c5f8092-e3f7-4eda-b9d3-56eed28fb157", - "risk_score": 50, "description": "Network - Port 8000 Activity", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - Port 8000 Activity", + "query": "destination.port:8000", + "risk_score": 50, + "rule_id": "9c5f8092-e3f7-4eda-b9d3-56eed28fb157", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "destination.port:8000", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json index 790773f5308bb6..5eeda8e094bb97 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "08d5d7e2-740f-44d8-aeda-e41f4263efaf", - "risk_score": 50, "description": "Network - Port 8000 Activity to the Internet\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - Port 8000 Activity to the Internet\t", + "query": "destination.port:8000 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "08d5d7e2-740f-44d8-aeda-e41f4263efaf", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "destination.port:8000 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json index f22a23648a7fa4..7b83966e18e704 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json @@ -1,17 +1,17 @@ { - "rule_id": "d2053495-8fe7-4168-b3df-dad844046be3", - "risk_score": 50, "description": "Network - PPTP (Point to Point Tunneling Protocol) Activity\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - PPTP (Point to Point Tunneling Protocol) Activity\t", + "query": "destination.port:1723", + "risk_score": 50, + "rule_id": "d2053495-8fe7-4168-b3df-dad844046be3", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "destination.port:1723", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json index e7cc9b2b07cfdd..3a55db40504592 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3", - "risk_score": 50, "description": "Network - Proxy Port Activity to the Internet\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - Proxy Port Activity to the Internet\t", + "query": "(destination.port:8080 or destination.port:3128) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "(destination.port:8080 or destination.port:3128) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json index 69383d91ccbb90..e5c1e33470fa47 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488", - "risk_score": 50, "description": "Network - RDP (Remote Desktop Protocol) from the Internet\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - RDP (Remote Desktop Protocol) from the Internet\t", + "query": "(destination.port:8080 or destination.port:3128) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "(destination.port:8080 or destination.port:3128) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json index b069bd5e3ca67f..92316f2bb05daf 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "e56993d2-759c-4120-984c-9ec9bb940fd5", - "risk_score": 50, "description": "Network - RDP (Remote Desktop Protocol) to the Internet\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - RDP (Remote Desktop Protocol) to the Internet\t", + "query": "destination.port:3389 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "e56993d2-759c-4120-984c-9ec9bb940fd5", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "destination.port:3389 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json index bef842ec2adc35..69d6d18ced8b9d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "143cb236-0956-4f42-a706-814bcaa0cf5a", - "risk_score": 50, "description": "Network - RPC (Remote Procedure Call) from the Internet\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - RPC (Remote Procedure Call) from the Internet\t", + "query": "destination.port:3389 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "143cb236-0956-4f42-a706-814bcaa0cf5a", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "destination.port:3389 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json index 15184aee86edb8..1f9a71bab92442 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "32923416-763a-4531-bb35-f33b9232ecdb", - "risk_score": 50, "description": "Network - RPC (Remote Procedure Call) to the Internet\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - RPC (Remote Procedure Call) to the Internet\t", + "query": "destination.port:135 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "32923416-763a-4531-bb35-f33b9232ecdb", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "destination.port:135 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json index 365490792ed377..627a89609cc21f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "c82b2bd8-d701-420c-ba43-f11a155b681a", - "risk_score": 50, "description": "Network - SMB (Windows File Sharing) Activity to the Internet\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - SMB (Windows File Sharing) Activity to the Internet\t", + "query": "(destination.port:139 or destination.port:445) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "c82b2bd8-d701-420c-ba43-f11a155b681a", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "(destination.port:139 or destination.port:445) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json index b16e84e8cea742..ff5a61cbe00e67 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "67a9beba-830d-4035-bfe8-40b7e28f8ac4", - "risk_score": 50, "description": "Network - SMTP to the Internet\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - SMTP to the Internet\t", + "query": "destination.port:25 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "67a9beba-830d-4035-bfe8-40b7e28f8ac4", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "destination.port:25 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json index 4e884f0de11673..eeeb93e12938f0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "139c7458-566a-410c-a5cd-f80238d6a5cd", - "risk_score": 50, "description": "Network - SQL Server Port Activity to the Internet\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - SQL Server Port Activity to the Internet\t", + "query": "destination.port:1433 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "139c7458-566a-410c-a5cd-f80238d6a5cd", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "destination.port:1433 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json index f7340b710be358..11f24626fa0c19 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17", - "risk_score": 50, "description": "Network - SSH (Secure Shell) from the Internet\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - SSH (Secure Shell) from the Internet\t", + "query": "destination.port:22 and not source.ip:10.0.0.0/8 and not source.ip:172.16.0.0/12 and not source.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "destination.port:22 and not source.ip:10.0.0.0/8 and not source.ip:172.16.0.0/12 and not source.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json index 21877b9716aaeb..ded8c005c4462e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "6f1500bc-62d7-4eb9-8601-7485e87da2f4", - "risk_score": 50, "description": "Network - SSH (Secure Shell) to the Internet\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - SSH (Secure Shell) to the Internet\t", + "query": "destination.port:22 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "6f1500bc-62d7-4eb9-8601-7485e87da2f4", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "destination.port:22 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json index 2d917277bcb85e..a48f311163c2da 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json @@ -1,17 +1,17 @@ { - "rule_id": "34fde489-94b0-4500-a76f-b8a157cf9269", - "risk_score": 50, "description": "Network - Telnet Port Activity\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - Telnet Port Activity\t", + "query": "destination.port:23", + "risk_score": 50, + "rule_id": "34fde489-94b0-4500-a76f-b8a157cf9269", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "destination.port:23", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json index 991cc02a2123fa..713cc7da72e571 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "7d2c38d7-ede7-4bdf-b140-445906e6c540", - "risk_score": 50, "description": "Network - Tor Activity to the Internet\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - Tor Activity to the Internet\t", + "query": "(destination.port:9001 or destination.port:9030) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "7d2c38d7-ede7-4bdf-b140-445906e6c540", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "(destination.port:9001 or destination.port:9030) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json index 5fbffa0149783a..4f1dba808600e4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "5700cb81-df44-46aa-a5d7-337798f53eb8", - "risk_score": 50, "description": "Network - VNC (Virtual Network Computing) From the Internet\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - VNC (Virtual Network Computing) From the Internet\t", + "query": "destination.port:5800 and not source.ip:10.0.0.0/8 and not source.ip:172.16.0.0/12 and not source.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "5700cb81-df44-46aa-a5d7-337798f53eb8", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "destination.port:5800 and not source.ip:10.0.0.0/8 and not source.ip:172.16.0.0/12 and not source.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json index 9d3608cb9e05df..fd04ae3ae7dee1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "3ad49c61-7adc-42c1-b788-732eda2f5abf", - "risk_score": 50, "description": "Network - VNC (Virtual Network Computing) To the Internet\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - VNC (Virtual Network Computing) To the Internet\t", + "query": "destination.port:5800 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "3ad49c61-7adc-42c1-b788-732eda2f5abf", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "destination.port:5800 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json new file mode 100644 index 00000000000000..d563944171b7ac --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json @@ -0,0 +1,35 @@ +{ + "description": "Null user agent", + "enabled": false, + "filters": [ + { + "meta": { + "alias": null, + "negate": true, + "disabled": false, + "type": "exists", + "key": "user_agent.original", + "value": "exists", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" + }, + "exists": { + "field": "user_agent.original" + }, + "$state": { + "store": "appState" + } + } + ], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Null user agent", + "query": "url.path: *", + "risk_score": 50, + "rule_id": "43303fd4-4839-4e48-b2b2-803ab060758d", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/powershell_network_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/powershell_network_connection.json index ba86dd5bdf1dbb..075f77490a237c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/powershell_network_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/powershell_network_connection.json @@ -1,29 +1,22 @@ { - "rule_id": "8e792144-39a6-4a63-9779-2f12719dc132", - "risk_score": 50, "description": "Powershell network connection", - "immutable": true, - "interval": "5m", - "name": "Powershell network connection", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", - "query": "process.name:powershell.exe", - "language": "kuery", + "enabled": false, "filters": [ { + "$state": { + "store": "appState" + }, "meta": { - "negate": false, - "type": "phrase", + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "key": "event.action", - "value": "Network connection detected (rule: NetworkConnect)", + "negate": false, "params": { "query": "Network connection detected (rule: NetworkConnect)" }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" + "type": "phrase", + "value": "Network connection detected (rule: NetworkConnect)" }, "query": { "match": { @@ -32,23 +25,23 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } }, { + "$state": { + "store": "appState" + }, "meta": { - "negate": true, - "type": "phrase", + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "key": "destination.ip", - "value": "169.254.169.254", + "negate": true, "params": { "query": "169.254.169.254" }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index" + "type": "phrase", + "value": "169.254.169.254" }, "query": { "match": { @@ -57,12 +50,19 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } } ], - "enabled": false, + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Powershell network connection", + "query": "process.name:powershell.exe", + "risk_score": 50, + "rule_id": "8e792144-39a6-4a63-9779-2f12719dc132", + "severity": "low", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_execution_via_wmi.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_execution_via_wmi.json index d6743c1ead4acb..5ed0ad3899b4ce 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_execution_via_wmi.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_execution_via_wmi.json @@ -1,17 +1,17 @@ { - "rule_id": "14ba7cd9-1489-459b-99a4-153c7a3f9abb", - "risk_score": 50, "description": "Process Execution via WMI", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Process Execution via WMI", + "query": "process.name:scrcons.exe", + "risk_score": 50, + "rule_id": "14ba7cd9-1489-459b-99a4-153c7a3f9abb", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:scrcons.exe", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_acrobat_reader_possible_payload.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_acrobat_reader_possible_payload.json index 99968dbdcc00db..c00b88e5f88ef2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_acrobat_reader_possible_payload.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_acrobat_reader_possible_payload.json @@ -1,29 +1,22 @@ { - "rule_id": "c359628d-d5af-4a20-99df-aeeea109b690", - "risk_score": 50, "description": "Process started by Acrobat reader - possible payload", - "immutable": true, - "interval": "5m", - "name": "Process started by Acrobat reader - possible payload", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", - "query": "process.parent.name:AcroRd32.exe", - "language": "kuery", + "enabled": false, "filters": [ { + "$state": { + "store": "appState" + }, "meta": { - "negate": false, - "type": "phrase", + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "key": "event.action", - "value": "Process Create (rule: ProcessCreate)", + "negate": false, "params": { "query": "Process Create (rule: ProcessCreate)" }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" + "type": "phrase", + "value": "Process Create (rule: ProcessCreate)" }, "query": { "match": { @@ -32,12 +25,19 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } } ], - "enabled": false, + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Process started by Acrobat reader - possible payload", + "query": "process.parent.name:AcroRd32.exe", + "risk_score": 50, + "rule_id": "c359628d-d5af-4a20-99df-aeeea109b690", + "severity": "low", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_ms_office_program_possible_payload.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_ms_office_program_possible_payload.json index 9241a2a44eb069..5237b17e7d69f2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_ms_office_program_possible_payload.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_ms_office_program_possible_payload.json @@ -1,29 +1,22 @@ { - "rule_id": "3181b814-08e3-43f9-b77a-a2530603b131", - "risk_score": 50, "description": "Process started by MS Office program - possible payload", - "immutable": true, - "interval": "5m", - "name": "Process started by MS Office program - possible payload", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", - "query": " process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE", - "language": "kuery", + "enabled": false, "filters": [ { + "$state": { + "store": "appState" + }, "meta": { - "negate": false, - "type": "phrase", + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "key": "event.action", - "value": "Process Create (rule: ProcessCreate)", + "negate": false, "params": { "query": "Process Create (rule: ProcessCreate)" }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" + "type": "phrase", + "value": "Process Create (rule: ProcessCreate)" }, "query": { "match": { @@ -32,12 +25,19 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } } ], - "enabled": false, + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Process started by MS Office program - possible payload", + "query": " process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE", + "risk_score": 50, + "rule_id": "3181b814-08e3-43f9-b77a-a2530603b131", + "severity": "low", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_windows_defender.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_windows_defender.json index 3f1dc90c99c97e..1a686a4482df6e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_windows_defender.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_windows_defender.json @@ -1,17 +1,17 @@ { - "rule_id": "b3da3321-417d-494b-854c-b40369e063f0", - "risk_score": 50, "description": "Process started by Windows Defender", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Process started by Windows Defender", + "query": "parent.process.name:MsMpEng.exe", + "risk_score": 50, + "rule_id": "b3da3321-417d-494b-854c-b40369e063f0", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "parent.process.name:MsMpEng.exe", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/psexec_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/psexec_activity.json index 3797b44c6d9670..b928e7dc805766 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/psexec_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/psexec_activity.json @@ -1,17 +1,17 @@ { - "rule_id": "9511b7f4-3898-4813-8bd3-d810b03148ab", - "risk_score": 50, "description": "PSexec activity", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "PSexec activity", + "query": "process.name:PsExec.exe or process.name:PsExec64.exe", + "risk_score": 50, + "rule_id": "9511b7f4-3898-4813-8bd3-d810b03148ab", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:PsExec.exe or process.name:PsExec64.exe", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/search_windows_10.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/search_windows_10.json index 86c1c36f4b832c..ab76b1ed9ff9ec 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/search_windows_10.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/search_windows_10.json @@ -1,16 +1,6 @@ { - "rule_id": "5d00c579-794c-4f64-be52-1ed8cae2b11e", - "risk_score": 50, "description": "(Search) Windows 10", - "immutable": true, - "interval": "5m", - "name": "(Search) Windows 10", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", - "query": "", - "language": "kuery", + "enabled": false, "filters": [ { "$state": { @@ -19,13 +9,13 @@ "meta": { "alias": null, "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "key": "agent.hostname", "negate": false, "params": { "query": "LAPTOP-CQNI37L2" }, - "type": "phrase", - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" + "type": "phrase" }, "query": { "match": { @@ -37,16 +27,19 @@ } }, { + "$state": { + "store": "appState" + }, "meta": { "alias": null, - "negate": false, "disabled": false, - "type": "phrase", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "key": "event.provider", + "negate": false, "params": { "query": "Microsoft-Windows-Sysmon" }, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index" + "type": "phrase" }, "query": { "match": { @@ -55,12 +48,19 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } } ], - "enabled": false, + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "(Search) Windows 10", + "query": "", + "risk_score": 50, + "rule_id": "5d00c579-794c-4f64-be52-1ed8cae2b11e", + "severity": "low", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_child_processes_of_spoolsvexe.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_child_processes_of_spoolsvexe.json index 554ddb1468d0ba..e20197dfd2c928 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_child_processes_of_spoolsvexe.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_child_processes_of_spoolsvexe.json @@ -1,17 +1,17 @@ { - "rule_id": "2f026c73-bb63-455e-abdf-f11f463acf0d", - "risk_score": 50, "description": "Splunk - Child Processes of Spoolsv.exe", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Splunk - Child Processes of Spoolsv.exe", + "query": "process.parent.name:spoolsv.exe and not process.name:regsvr32.exe ", + "risk_score": 50, + "rule_id": "2f026c73-bb63-455e-abdf-f11f463acf0d", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.parent.name:spoolsv.exe and not process.name:regsvr32.exe ", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_large_outbound_icmp_packets.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_large_outbound_icmp_packets.json index 30dd0023b44914..11186bfb44d62b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_large_outbound_icmp_packets.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_large_outbound_icmp_packets.json @@ -1,17 +1,17 @@ { - "rule_id": "e108c0c6-5ee8-47a0-8c23-ec47ba3a9b00", - "risk_score": 50, "description": "Splunk - Detect Large Outbound ICMP Packets", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Splunk - Detect Large Outbound ICMP Packets", + "query": "network.transport:icmp and network.bytes>1000 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "e108c0c6-5ee8-47a0-8c23-ec47ba3a9b00", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "network.transport:icmp and network.bytes>1000 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_long_dns_txt_record_response.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_long_dns_txt_record_response.json index 8ae0c57d6aeaae..724985b2d1de8e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_long_dns_txt_record_response.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_long_dns_txt_record_response.json @@ -1,17 +1,17 @@ { - "rule_id": "2cdf84be-1c9c-4184-9880-75b9a6ddeaba", - "risk_score": 50, "description": "Splunk - Detect Long DNS TXT Record Response", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Splunk - Detect Long DNS TXT Record Response", + "query": "network.protocol:dns and server.bytes>100 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16 and not destination.ip:169.254.169.254 and not destination.ip:127.0.0.53", + "risk_score": 50, + "rule_id": "2cdf84be-1c9c-4184-9880-75b9a6ddeaba", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "network.protocol:dns and server.bytes>100 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16 and not destination.ip:169.254.169.254 and not destination.ip:127.0.0.53", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_new_local_admin_account.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_new_local_admin_account.json index 39cb60d130a690..c0e773f09b1684 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_new_local_admin_account.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_new_local_admin_account.json @@ -1,17 +1,17 @@ { - "rule_id": "030fc8e4-2c5f-4cc9-a6bd-2b6b7b98ae16", - "risk_score": 50, "description": "Splunk - Detect New Local Admin account", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Splunk - Detect New Local Admin account", + "query": "event.code:(4720 or 4732) and winlog.event_data.TargetUserName:Administrators", + "risk_score": 50, + "rule_id": "030fc8e4-2c5f-4cc9-a6bd-2b6b7b98ae16", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:(4720 or 4732) and winlog.event_data.TargetUserName:Administrators", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_psexec_with_accepteula_flag.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_psexec_with_accepteula_flag.json index b8b4d5f34037d0..f9ad5793f25475 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_psexec_with_accepteula_flag.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_psexec_with_accepteula_flag.json @@ -1,17 +1,17 @@ { - "rule_id": "4b63cf13-9043-41e3-84ec-6e39eb0d407e", - "risk_score": 50, "description": "Splunk - Detect PsExec With accepteula Flag", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Splunk - Detect PsExec With accepteula Flag", + "query": "process.name:PsExec.exe and process.args:\"-accepteula\"", + "risk_score": 50, + "rule_id": "4b63cf13-9043-41e3-84ec-6e39eb0d407e", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:PsExec.exe and process.args:\"-accepteula\"", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_use_of_cmdexe_to_launch_script_interpreters.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_use_of_cmdexe_to_launch_script_interpreters.json index 1cd29886f3cd04..0a67c3adeaea55 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_use_of_cmdexe_to_launch_script_interpreters.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_use_of_cmdexe_to_launch_script_interpreters.json @@ -1,17 +1,17 @@ { - "rule_id": "f4388e4c-ec3d-41b3-be5c-27c11f61473c", - "risk_score": 50, "description": "Splunk - Detect Use of cmd.exe to Launch Script Interpreters", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Splunk - Detect Use of cmd.exe to Launch Script Interpreters", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"wscript.exe\" or \"cscript.exe\") and process.parent.name:\"cmd.exe\"", + "risk_score": 50, + "rule_id": "f4388e4c-ec3d-41b3-be5c-27c11f61473c", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"wscript.exe\" or \"cscript.exe\") and process.parent.name:\"cmd.exe\"", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_created_by_netsh.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_created_by_netsh.json index cbedcb655990f4..466f9aff019426 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_created_by_netsh.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_created_by_netsh.json @@ -1,17 +1,17 @@ { - "rule_id": "ce7a0bde-7406-4729-a075-a215f4571ff6", - "risk_score": 50, "description": "Splunk - Processes created by netsh", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Splunk - Processes created by netsh", + "query": "process.parent.name:netsh.exe", + "risk_score": 50, + "rule_id": "ce7a0bde-7406-4729-a075-a215f4571ff6", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.parent.name:netsh.exe", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_launching_netsh.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_launching_netsh.json index c25e6211a3bb98..cc54721cd92f2f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_launching_netsh.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_launching_netsh.json @@ -1,17 +1,17 @@ { - "rule_id": "600dba95-f1c6-4a4d-aae1-c79cbd8a5ddd", - "risk_score": 50, "description": "Splunk - Processes launching netsh", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Splunk - Processes launching netsh", + "query": "process.name:netsh.exe and event.action:\"Process Create (rule: ProcessCreate)\" ", + "risk_score": 50, + "rule_id": "600dba95-f1c6-4a4d-aae1-c79cbd8a5ddd", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:netsh.exe and event.action:\"Process Create (rule: ProcessCreate)\" ", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_protocols_passing_authentication_in_cleartext.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_protocols_passing_authentication_in_cleartext.json index 12eafea8d88c9a..c68e074d438171 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_protocols_passing_authentication_in_cleartext.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_protocols_passing_authentication_in_cleartext.json @@ -1,17 +1,17 @@ { - "rule_id": "f4442e7f-856a-4a4a-851b-c1f9b97b0d39", - "risk_score": 50, "description": "Splunk - Protocols passing authentication in cleartext", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Splunk - Protocols passing authentication in cleartext", + "query": "destination.port:(21 or 23 or 110 or 143) and network.transport:tcp", + "risk_score": 50, + "rule_id": "f4442e7f-856a-4a4a-851b-c1f9b97b0d39", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "destination.port:(21 or 23 or 110 or 143) and network.transport:tcp", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_windows_event_log_cleared.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_windows_event_log_cleared.json index 7317f491d1a9d4..5f36d6623bcfb2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_windows_event_log_cleared.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_windows_event_log_cleared.json @@ -1,17 +1,17 @@ { - "rule_id": "c0747553-4652-4e74-bc86-898f2daa2bde", - "risk_score": 50, "description": "Splunk - Windows Event Log Cleared", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Splunk - Windows Event Log Cleared", + "query": "event.code:(1102 or 1100)", + "risk_score": 50, + "rule_id": "c0747553-4652-4e74-bc86-898f2daa2bde", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:(1102 or 1100)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json new file mode 100644 index 00000000000000..48cf20bcbacf7e --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json @@ -0,0 +1,17 @@ +{ + "description": "SQLmap user agent", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "SQLmap user agent", + "query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"", + "risk_score": 50, + "rule_id": "d49cc73f-7a16-4def-89ce-9fc7127d7820", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_base64_encoded_invokecommand_powershell_execution.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_base64_encoded_invokecommand_powershell_execution.json index 332f174cad2cf8..05d54f6bdb4c63 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_base64_encoded_invokecommand_powershell_execution.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_base64_encoded_invokecommand_powershell_execution.json @@ -1,17 +1,43 @@ { - "rule_id": "6ff01a30-95dd-471c-b61d-0fd9ee2d0a20", - "risk_score": 50, "description": "Suricata Base64 Encoded Invoke-Command Powershell Execution", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Base64 Encoded Invoke-Command Powershell Execution", - "severity": "low", - "type": "query", - "from": "now-6m", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2610182 or 2610183 or 2610184 or 2610185 or 2610186 or 2610187) or rule.id: (2610182 or 2610183 or 2610184 or 2610185 or 2610186 or 2610187))", + "references": [ + "https://github.com/travisbgreen/hunting-rules/blob/master/hunting.rules#L179-L184", + "This group of signatures detect base-64 encoded variations of the 'Invoke-Command' Powershell cmdlet. This is not something you should see on a typical network and could indicate a possible command and control channel." + ], + "risk_score": 50, + "rule_id": "6ff01a30-95dd-471c-b61d-0fd9ee2d0a20", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "command and control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "techniques": [ + { + "id": "T1001", + "name": "data obfuscation", + "reference": "https://attack.mitre.org/techniques/T1001/" + }, + { + "id": "T1132", + "name": "data encoding", + "reference": "https://attack.mitre.org/techniques/T1132/" + } + ] + } + ], "to": "now", - "query": "(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610182 or 2610183 or 2610184 or 2610185 or 2610186 or 2610187)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_base64_encoded_newobject_powershell_execution.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_base64_encoded_newobject_powershell_execution.json index a86f7fa07e7d99..ac47a6877c5250 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_base64_encoded_newobject_powershell_execution.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_base64_encoded_newobject_powershell_execution.json @@ -1,17 +1,43 @@ { - "rule_id": "d14d5401-0f7a-4933-b816-1b8f823e3d84", - "risk_score": 50, "description": "Suricata Base64 Encoded New-Object Powershell Execution", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Base64 Encoded New-Object Powershell Execution", - "severity": "low", - "type": "query", - "from": "now-6m", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2610188 or 2610189 or 2610190 or 2610191 or 2610192 or 2610193) or rule.id: (2610188 or 2610189 or 2610190 or 2610191 or 2610192 or 2610193))", + "references": [ + "https://github.com/travisbgreen/hunting-rules/blob/master/hunting.rules#L191-L196", + "This group of signatures detect base-64 encoded variations of the 'New-Object' Powershell cmdlet. This is not something you should see on a typical network and could indicate a possible command and control channel." + ], + "risk_score": 50, + "rule_id": "d14d5401-0f7a-4933-b816-1b8f823e3d84", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "command and control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "techniques": [ + { + "id": "T1001", + "name": "data obfuscation", + "reference": "https://attack.mitre.org/techniques/T1001/" + }, + { + "id": "T1132", + "name": "data encoding", + "reference": "https://attack.mitre.org/techniques/T1132/" + } + ] + } + ], "to": "now", - "query": "(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610188 or 2610189 or 2610190 or 2610191 or 2610192 or 2610193)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_base64_encoded_startprocess_powershell_execution.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_base64_encoded_startprocess_powershell_execution.json index 722ce65dd83e8b..972299bbd74b04 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_base64_encoded_startprocess_powershell_execution.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_base64_encoded_startprocess_powershell_execution.json @@ -1,17 +1,43 @@ { - "rule_id": "372dce88-003d-4bcf-8c95-34ea8be180a1", - "risk_score": 50, "description": "Suricata Base64 Encoded Start-Process Powershell Execution", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Base64 Encoded Start-Process Powershell Execution", - "severity": "low", - "type": "query", - "from": "now-6m", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2610194 or 2610195 or 2610196 or 2610197 or 2610198 or 2610199) or rule.id: (2610194 or 2610195 or 2610196 or 2610197 or 2610198 or 2610199))", + "references": [ + "https://github.com/travisbgreen/hunting-rules/blob/master/hunting.rules#L191-L196", + "This group of signatures detect base-64 encoded variations of the 'Start-Process' Powershell cmdlet. This is not something you should see on a typical network and could indicate a possible command and control channel." + ], + "risk_score": 50, + "rule_id": "372dce88-003d-4bcf-8c95-34ea8be180a1", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "command and control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "techniques": [ + { + "id": "T1001", + "name": "data obfuscation", + "reference": "https://attack.mitre.org/techniques/T1001/" + }, + { + "id": "T1132", + "name": "data encoding", + "reference": "https://attack.mitre.org/techniques/T1132/" + } + ] + } + ], "to": "now", - "query": "(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610194 or 2610195 or 2610196 or 2610197 or 2610198 or 2610199)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_a_suspicious_string_was_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_a_suspicious_string_was_detected.json index eb4fa0fe411a9f..bb6a57f905bf7d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_a_suspicious_string_was_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_a_suspicious_string_was_detected.json @@ -1,17 +1,17 @@ { - "rule_id": "2a3d91c1-5065-46ab-bed0-93f80835b1d5", - "risk_score": 50, "description": "Suricata Category - A suspicious string was detected", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - A suspicious string was detected", + "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"A suspicious string was detected\" or rule.category: \"A suspicious string was detected\")", + "risk_score": 50, + "rule_id": "2a3d91c1-5065-46ab-bed0-93f80835b1d5", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"A suspicious string was detected\" or rule.category: \"A suspicious string was detected\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_administrator_privilege_gain.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_administrator_privilege_gain.json index 3fc61c50927c77..9de1f5ad33712e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_administrator_privilege_gain.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_administrator_privilege_gain.json @@ -1,17 +1,17 @@ { - "rule_id": "f840129e-9089-4f46-8af1-0745e8f54713", - "risk_score": 50, "description": "Suricata Category - Attempted Administrator Privilege Gain", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Attempted Administrator Privilege Gain", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Attempted Administrator Privilege Gain\" or rule.category: \"Attempted Administrator Privilege Gain\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 50, + "rule_id": "f840129e-9089-4f46-8af1-0745e8f54713", + "severity": "high", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_denial_of_service.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_denial_of_service.json index e888b2076f137f..d0c3eb9ba2331c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_denial_of_service.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_denial_of_service.json @@ -1,17 +1,17 @@ { - "rule_id": "a62927f4-2488-4679-b56f-cda1a7f4c9e1", - "risk_score": 50, "description": "Suricata Category - Attempted Denial of Service", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Attempted Denial of Service", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Attempted Denial of Service\" or rule.category: \"Attempted Denial of Service\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 50, + "rule_id": "a62927f4-2488-4679-b56f-cda1a7f4c9e1", + "severity": "high", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_information_leak.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_information_leak.json index ae93e8bce78012..75995d657b4640 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_information_leak.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_information_leak.json @@ -1,17 +1,17 @@ { - "rule_id": "88d69362-f496-41d6-8e6b-a2dbaed3513f", - "risk_score": 50, "description": "Suricata Category - Attempted Information Leak", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Attempted Information Leak", + "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Attempted Information Leak\" or rule.category: \"Attempted Information Leak\")", + "risk_score": 50, + "rule_id": "88d69362-f496-41d6-8e6b-a2dbaed3513f", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Attempted Information Leak\" or rule.category: \"Attempted Information Leak\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_login_with_suspicious_username.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_login_with_suspicious_username.json index c00e7a42aee06d..31d14a3b687089 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_login_with_suspicious_username.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_login_with_suspicious_username.json @@ -1,17 +1,17 @@ { - "rule_id": "a84cd36c-dd5a-4e86-a2ce-44556c21cef0", - "risk_score": 50, "description": "Suricata Category - Attempted Login with Suspicious Username", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Attempted Login with Suspicious Username", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"An attempted login using a suspicious username was detected\" or rule.category: \"An attempted login using a suspicious username was detected\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 50, + "rule_id": "a84cd36c-dd5a-4e86-a2ce-44556c21cef0", + "severity": "medium", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_user_privilege_gain.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_user_privilege_gain.json index 1b2fcbee310da6..13300e8a17694d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_user_privilege_gain.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_user_privilege_gain.json @@ -1,17 +1,17 @@ { - "rule_id": "eabce895-4602-4d20-8bf9-11c903bb3e08", - "risk_score": 50, "description": "Suricata Category - Attempted User Privilege Gain", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Attempted User Privilege Gain", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Attempted User Privilege Gain\" or rule.category: \"Attempted User Privilege Gain\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 50, + "rule_id": "eabce895-4602-4d20-8bf9-11c903bb3e08", + "severity": "medium", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_client_using_unusual_port.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_client_using_unusual_port.json index feedffeaacc9c4..9c1e3ef1b39f8e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_client_using_unusual_port.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_client_using_unusual_port.json @@ -1,17 +1,17 @@ { - "rule_id": "00503a3c-304c-421c-bfea-e5d8fdfd9726", - "risk_score": 50, "description": "Suricata Category - Client Using Unusual Port", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Client Using Unusual Port", + "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"A client was using an unusual port\" or rule.category: \"A client was using an unusual port\")", + "risk_score": 50, + "rule_id": "00503a3c-304c-421c-bfea-e5d8fdfd9726", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"A client was using an unusual port\" or rule.category: \"A client was using an unusual port\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_crypto_currency_mining_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_crypto_currency_mining_activity.json index e05461baf36de6..a4ef732c2e1bd5 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_crypto_currency_mining_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_crypto_currency_mining_activity.json @@ -1,17 +1,17 @@ { - "rule_id": "74cd4920-a441-41d2-8a23-5bee70626e60", - "risk_score": 50, "description": "Suricata Category - Crypto Currency Mining Activity", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Crypto Currency Mining Activity", + "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Crypto Currency Mining Activity Detected\" or rule.category: \"Crypto Currency Mining Activity Detected\")", + "risk_score": 50, + "rule_id": "74cd4920-a441-41d2-8a23-5bee70626e60", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Crypto Currency Mining Activity Detected\" or rule.category: \"Crypto Currency Mining Activity Detected\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_decode_of_an_rpc_query.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_decode_of_an_rpc_query.json index 0e22aa66ca04dd..43f767f14b7e6c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_decode_of_an_rpc_query.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_decode_of_an_rpc_query.json @@ -1,17 +1,17 @@ { - "rule_id": "e9fc5bd3-c8a1-442c-be6d-032da07c508b", - "risk_score": 50, "description": "Suricata Category - Decode of an RPC Query", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Decode of an RPC Query", + "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Decode of an RPC Query\" or rule.category: \"Decode of an RPC Query\")", + "risk_score": 50, + "rule_id": "e9fc5bd3-c8a1-442c-be6d-032da07c508b", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Decode of an RPC Query\" or rule.category: \"Decode of an RPC Query\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_default_username_and_password_login_attempt.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_default_username_and_password_login_attempt.json index 0810168bbaf158..74a566563f15a3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_default_username_and_password_login_attempt.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_default_username_and_password_login_attempt.json @@ -1,17 +1,17 @@ { - "rule_id": "190bd112-f831-4813-98b2-e45a934277c2", - "risk_score": 50, "description": "Suricata Category - Default Username and Password Login Attempt", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Default Username and Password Login Attempt", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Attempt to login by a default username and password\" or rule.category: \"Attempt to login by a default username and password\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 50, + "rule_id": "190bd112-f831-4813-98b2-e45a934277c2", + "severity": "medium", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_denial_of_service.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_denial_of_service.json index d6ef10a86c1845..d7a615807593e6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_denial_of_service.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_denial_of_service.json @@ -1,17 +1,17 @@ { - "rule_id": "0e97e390-84db-4725-965a-a8b0b600f7be", - "risk_score": 50, "description": "Suricata Category - Denial of Service", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Denial of Service", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Denial of Service\" or rule.category: \"Denial of Service\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 75, + "rule_id": "0e97e390-84db-4725-965a-a8b0b600f7be", + "severity": "medium", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_denial_of_service_attack.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_denial_of_service_attack.json index 3f4975bcdfb144..e0bf4220d4467f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_denial_of_service_attack.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_denial_of_service_attack.json @@ -1,17 +1,17 @@ { - "rule_id": "42a60eaa-fd20-479b-b6ca-bdb88d47b34b", - "risk_score": 50, "description": "Suricata Category - Denial of Service Attack", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Denial of Service Attack", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Detection of a Denial of Service Attack\" or rule.category: \"Detection of a Denial of Service Attack\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 100, + "rule_id": "42a60eaa-fd20-479b-b6ca-bdb88d47b34b", + "severity": "high", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_executable_code_was_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_executable_code_was_detected.json index f1f6177e015035..09a72e761cb409 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_executable_code_was_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_executable_code_was_detected.json @@ -1,17 +1,17 @@ { - "rule_id": "4699296b-5127-475a-9d83-8434fcd18136", - "risk_score": 50, "description": "Suricata Category - Executable code was detected", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Executable code was detected", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Executable code was detected\" or rule.category: \"Executable code was detected\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 50, + "rule_id": "4699296b-5127-475a-9d83-8434fcd18136", + "severity": "high", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_exploit_kit_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_exploit_kit_activity.json index 025f0f4d266f93..8c8f5565da4e64 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_exploit_kit_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_exploit_kit_activity.json @@ -1,17 +1,17 @@ { - "rule_id": "b3111af8-79bf-4ec3-97ae-28d9ed9fbd38", - "risk_score": 50, "description": "Suricata Category - Exploit Kit Activity", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Exploit Kit Activity", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Exploit Kit Activity Detected\" or rule.category: \"Exploit Kit Activity Detected\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 50, + "rule_id": "b3111af8-79bf-4ec3-97ae-28d9ed9fbd38", + "severity": "high", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_external_ip_address_retrieval.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_external_ip_address_retrieval.json index eab3cb59108617..39c42d81ee59d5 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_external_ip_address_retrieval.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_external_ip_address_retrieval.json @@ -1,17 +1,17 @@ { - "rule_id": "c7df9ecf-d6be-4ef8-9871-cb317dfff0b4", - "risk_score": 50, "description": "Suricata Category - External IP Address Retrieval", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - External IP Address Retrieval", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Device Retrieving External IP Address Detected\" or rule.category: \"Device Retrieving External IP Address Detected\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 50, + "rule_id": "c7df9ecf-d6be-4ef8-9871-cb317dfff0b4", + "severity": "medium", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_generic_icmp_event.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_generic_icmp_event.json index 37b93ce6886d89..e4d15f667371f9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_generic_icmp_event.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_generic_icmp_event.json @@ -1,17 +1,17 @@ { - "rule_id": "3309bffa-7c43-409a-acea-6631c1b077e5", - "risk_score": 50, "description": "Suricata Category - Generic ICMP event", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Generic ICMP event", + "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Generic ICMP event\" or rule.category: \"Generic ICMP event\")", + "risk_score": 25, + "rule_id": "3309bffa-7c43-409a-acea-6631c1b077e5", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Generic ICMP event\" or rule.category: \"Generic ICMP event\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_generic_protocol_command_decode.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_generic_protocol_command_decode.json index ed5a6dbe47f5a4..faaccc5eee9926 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_generic_protocol_command_decode.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_generic_protocol_command_decode.json @@ -1,17 +1,17 @@ { - "rule_id": "6fd2deb4-a7a9-4221-8b7b-8d26836a8c30", - "risk_score": 50, "description": "Suricata Category - Generic Protocol Command Decode", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Generic Protocol Command Decode", + "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Generic Protocol Command Decode\" or rule.category: \"Generic Protocol Command Decode\")", + "risk_score": 25, + "rule_id": "6fd2deb4-a7a9-4221-8b7b-8d26836a8c30", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Generic Protocol Command Decode\" or rule.category: \"Generic Protocol Command Decode\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_information_leak.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_information_leak.json index 7cec0f24570ec5..c58b4a5f4b13a3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_information_leak.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_information_leak.json @@ -1,17 +1,17 @@ { - "rule_id": "95df8ff4-7169-4c84-ae50-3561b1d1bc91", - "risk_score": 50, "description": "Suricata Category - Information Leak", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Information Leak", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Information Leak\" or rule.category: \"Information Leak\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 25, + "rule_id": "95df8ff4-7169-4c84-ae50-3561b1d1bc91", + "severity": "medium", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_large_scale_information_leak.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_large_scale_information_leak.json index c871624f86d9f1..b1916165c6e903 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_large_scale_information_leak.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_large_scale_information_leak.json @@ -1,17 +1,17 @@ { - "rule_id": "ca98de30-c703-4170-97ae-ab2b340f6080", - "risk_score": 50, "description": "Suricata Category - Large Scale Information Leak", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Large Scale Information Leak", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Large Scale Information Leak\" or rule.category: \"Large Scale Information Leak\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 75, + "rule_id": "ca98de30-c703-4170-97ae-ab2b340f6080", + "severity": "medium", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_malware_command_and_control_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_malware_command_and_control_activity.json index e0b7e41b67b92d..4682f973bdfc93 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_malware_command_and_control_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_malware_command_and_control_activity.json @@ -1,17 +1,17 @@ { - "rule_id": "56656341-2940-4a69-b8fe-acf3c734f540", - "risk_score": 50, "description": "Suricata Category - Malware Command and Control Activity", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Malware Command and Control Activity", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Malware Command and Control Activity Detected\" or rule.category: \"Malware Command and Control Activity Detected\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 100, + "rule_id": "56656341-2940-4a69-b8fe-acf3c734f540", + "severity": "high", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_misc_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_misc_activity.json index aad3b2c5057cef..49928bd4caaa53 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_misc_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_misc_activity.json @@ -1,17 +1,17 @@ { - "rule_id": "403ddbde-a486-4dd7-b932-cee4ebef88b6", - "risk_score": 50, "description": "Suricata Category - Misc Activity", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Misc Activity", + "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Misc activity\" or rule.category: \"Misc activity\")", + "risk_score": 25, + "rule_id": "403ddbde-a486-4dd7-b932-cee4ebef88b6", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Misc activity\" or rule.category: \"Misc activity\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_misc_attack.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_misc_attack.json index eea27b6fa8ae2e..34c9059d264981 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_misc_attack.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_misc_attack.json @@ -1,17 +1,17 @@ { - "rule_id": "83277123-749f-49da-ad3d-d59f35490db1", - "risk_score": 50, "description": "Suricata Category - Misc Attack", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Misc Attack", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Misc Attack\" or rule.category: \"Misc Attack\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 50, + "rule_id": "83277123-749f-49da-ad3d-d59f35490db1", + "severity": "medium", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_network_scan_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_network_scan_detected.json index 0eb2b136bbef9d..9bc0572e257795 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_network_scan_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_network_scan_detected.json @@ -1,17 +1,17 @@ { - "rule_id": "7e969b45-d005-4173-aee7-a7aaa79bc372", - "risk_score": 50, "description": "Suricata Category - Network Scan Detected", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Network Scan Detected", + "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Detection of a Network Scan\" or rule.category: \"Detection of a Network Scan\")", + "risk_score": 25, + "rule_id": "7e969b45-d005-4173-aee7-a7aaa79bc372", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Detection of a Network Scan\" or rule.category: \"Detection of a Network Scan\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_network_trojan_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_network_trojan_detected.json index f3aeb8393c13f1..b319d5d2be079b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_network_trojan_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_network_trojan_detected.json @@ -1,17 +1,17 @@ { - "rule_id": "76ffa464-ec03-42e1-87ee-87760c331061", - "risk_score": 50, "description": "Suricata Category - Network Trojan Detected", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Network Trojan Detected", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"A Network Trojan was detected\" or rule.category: \"A Network Trojan was detected\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 100, + "rule_id": "76ffa464-ec03-42e1-87ee-87760c331061", + "severity": "high", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_nonstandard_protocol_or_event.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_nonstandard_protocol_or_event.json index c3b696afa8e439..c104b1d2acc450 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_nonstandard_protocol_or_event.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_nonstandard_protocol_or_event.json @@ -1,17 +1,17 @@ { - "rule_id": "82f9f485-873b-4eeb-b231-052ab81e05b8", - "risk_score": 50, "description": "Suricata Category - Non-Standard Protocol or Event", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Non-Standard Protocol or Event", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Detection of a non-standard protocol or event\" or rule.category: \"Detection of a non-standard protocol or event\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 50, + "rule_id": "82f9f485-873b-4eeb-b231-052ab81e05b8", + "severity": "medium", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_not_suspicious_traffic.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_not_suspicious_traffic.json index e26180a429a812..4ff46e429c4c3a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_not_suspicious_traffic.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_not_suspicious_traffic.json @@ -1,17 +1,17 @@ { - "rule_id": "c0f684ff-4f15-44e7-912d-aa8b8f08a910", - "risk_score": 50, "description": "Suricata Category - Not Suspicious Traffic", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Not Suspicious Traffic", + "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Not Suspicious Traffic\" or rule.category: \"Not Suspicious Traffic\")", + "risk_score": 25, + "rule_id": "c0f684ff-4f15-44e7-912d-aa8b8f08a910", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Not Suspicious Traffic\" or rule.category: \"Not Suspicious Traffic\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_observed_c2_domain.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_observed_c2_domain.json index 7a11a3738b7a41..6b06e23648cbdb 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_observed_c2_domain.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_observed_c2_domain.json @@ -1,17 +1,17 @@ { - "rule_id": "8adfa89f-aa90-4d26-9d7a-7da652cae902", - "risk_score": 50, "description": "Suricata Category - Observed C2 Domain", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Observed C2 Domain", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Domain Observed Used for C2 Detected\" or rule.category: \"Domain Observed Used for C2 Detected\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 75, + "rule_id": "8adfa89f-aa90-4d26-9d7a-7da652cae902", + "severity": "high", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_possible_social_engineering_attempted.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_possible_social_engineering_attempted.json index f21da57a4d7b74..7c4f096280ed47 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_possible_social_engineering_attempted.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_possible_social_engineering_attempted.json @@ -1,17 +1,17 @@ { - "rule_id": "7d2d5a5f-f590-407d-933a-42adb1a7bcef", - "risk_score": 50, "description": "Suricata Category - Possible Social Engineering Attempted", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Possible Social Engineering Attempted", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Possible Social Engineering Attempted\" or rule.category: \"Possible Social Engineering Attempted\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 50, + "rule_id": "7d2d5a5f-f590-407d-933a-42adb1a7bcef", + "severity": "medium", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_possibly_unwanted_program.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_possibly_unwanted_program.json index 7303185c6e9a4f..7e5f92c15e4141 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_possibly_unwanted_program.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_possibly_unwanted_program.json @@ -1,17 +1,17 @@ { - "rule_id": "1b9a31e8-fdfa-400e-aa4e-79a7f1a1da18", - "risk_score": 50, "description": "Suricata Category - Possibly Unwanted Program", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Possibly Unwanted Program", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Possibly Unwanted Program Detected\" or rule.category: \"Possibly Unwanted Program Detected\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 25, + "rule_id": "1b9a31e8-fdfa-400e-aa4e-79a7f1a1da18", + "severity": "medium", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_potential_corporate_privacy_violation.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_potential_corporate_privacy_violation.json index d3f867778bb43b..221cfaab48e004 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_potential_corporate_privacy_violation.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_potential_corporate_privacy_violation.json @@ -1,17 +1,17 @@ { - "rule_id": "1c70f5d5-eae0-4d00-b35a-d34ca607094e", - "risk_score": 50, "description": "Suricata Category - Potential Corporate Privacy Violation", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Potential Corporate Privacy Violation", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Potential Corporate Privacy Violation\" or rule.category: \"Potential Corporate Privacy Violation\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 25, + "rule_id": "1c70f5d5-eae0-4d00-b35a-d34ca607094e", + "severity": "high", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_potentially_bad_traffic.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_potentially_bad_traffic.json index f77fe14014db30..fc1baf20147577 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_potentially_bad_traffic.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_potentially_bad_traffic.json @@ -1,17 +1,17 @@ { - "rule_id": "197cdd5a-9880-4780-a87c-594d0ed2b7b4", - "risk_score": 50, "description": "Suricata Category - Potentially Bad Traffic", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Potentially Bad Traffic", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Potentially Bad Traffic\" or rule.category: \"Potentially Bad Traffic\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 25, + "rule_id": "197cdd5a-9880-4780-a87c-594d0ed2b7b4", + "severity": "medium", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_potentially_vulnerable_web_application_access.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_potentially_vulnerable_web_application_access.json index 1665f8ca824249..cfcb246d44f4d1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_potentially_vulnerable_web_application_access.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_potentially_vulnerable_web_application_access.json @@ -1,17 +1,17 @@ { - "rule_id": "0993e926-1a01-4c28-918a-cdd5741a19a8", - "risk_score": 50, "description": "Suricata Category - Potentially Vulnerable Web Application Access", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Potentially Vulnerable Web Application Access", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"access to a potentially vulnerable web application\" or rule.category: \"access to a potentially vulnerable web application\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 75, + "rule_id": "0993e926-1a01-4c28-918a-cdd5741a19a8", + "severity": "medium", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_successful_administrator_privilege_gain.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_successful_administrator_privilege_gain.json index e7b636c421c161..919083650682c9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_successful_administrator_privilege_gain.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_successful_administrator_privilege_gain.json @@ -1,17 +1,17 @@ { - "rule_id": "f068e655-1f52-4d81-839a-9c08c6543ceb", - "risk_score": 50, "description": "Suricata Category - Successful Administrator Privilege Gain", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Successful Administrator Privilege Gain", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Successful Administrator Privilege Gain\" or rule.category: \"Successful Administrator Privilege Gain\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 75, + "rule_id": "f068e655-1f52-4d81-839a-9c08c6543ceb", + "severity": "high", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_successful_credential_theft.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_successful_credential_theft.json index bb87b86a75860a..feb708316fbd8a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_successful_credential_theft.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_successful_credential_theft.json @@ -1,17 +1,17 @@ { - "rule_id": "90f3e735-2187-4e8e-8d28-6e3249964851", - "risk_score": 50, "description": "Suricata Category - Successful Credential Theft", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Successful Credential Theft", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Successful Credential Theft Detected\" or rule.category: \"Successful Credential Theft Detected\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 75, + "rule_id": "90f3e735-2187-4e8e-8d28-6e3249964851", + "severity": "high", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_successful_user_privilege_gain.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_successful_user_privilege_gain.json index d6af6e2baabea2..8a7e366d25e585 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_successful_user_privilege_gain.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_successful_user_privilege_gain.json @@ -1,17 +1,17 @@ { - "rule_id": "f8ebd022-6e92-4b80-ac49-7ee011ba2ce0", - "risk_score": 50, "description": "Suricata Category - Successful User Privilege Gain", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Successful User Privilege Gain", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Successful User Privilege Gain\" or rule.category: \"Successful User Privilege Gain\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 50, + "rule_id": "f8ebd022-6e92-4b80-ac49-7ee011ba2ce0", + "severity": "high", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_suspicious_filename_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_suspicious_filename_detected.json index 205940bb7d0bc3..356c0d23dd4e9c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_suspicious_filename_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_suspicious_filename_detected.json @@ -1,17 +1,17 @@ { - "rule_id": "d0489b07-8140-4e3d-a2b7-52f2c06fdc7c", - "risk_score": 50, "description": "Suricata Category - Suspicious Filename Detected", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Suspicious Filename Detected", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"A suspicious filename was detected\" or rule.category: \"A suspicious filename was detected\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 25, + "rule_id": "d0489b07-8140-4e3d-a2b7-52f2c06fdc7c", + "severity": "medium", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_system_call_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_system_call_detected.json index a86ea16ddf2077..f41692fb218412 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_system_call_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_system_call_detected.json @@ -1,17 +1,17 @@ { - "rule_id": "44a5c55a-a34f-43c3-8f21-df502862aa9b", - "risk_score": 50, "description": "Suricata Category - System Call Detected", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - System Call Detected", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"A system call was detected\" or rule.category: \"A system call was detected\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 50, + "rule_id": "44a5c55a-a34f-43c3-8f21-df502862aa9b", + "severity": "medium", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_targeted_malicious_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_targeted_malicious_activity.json index 8923c07341b935..9c13b53f43263d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_targeted_malicious_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_targeted_malicious_activity.json @@ -1,17 +1,17 @@ { - "rule_id": "d299379d-41de-4640-96b6-77aaa9adfa6f", - "risk_score": 50, "description": "Suricata Category - Targeted Malicious Activity", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Targeted Malicious Activity", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Targeted Malicious Activity was Detected\" or rule.category: \"Targeted Malicious Activity was Detected\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 75, + "rule_id": "d299379d-41de-4640-96b6-77aaa9adfa6f", + "severity": "high", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_tcp_connection_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_tcp_connection_detected.json index a1e400c71b8be2..eb41269d58ffa1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_tcp_connection_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_tcp_connection_detected.json @@ -1,17 +1,17 @@ { - "rule_id": "ddf402cf-307d-4f46-a25d-dce3aee1ad13", - "risk_score": 50, "description": "Suricata Category - TCP Connection Detected", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - TCP Connection Detected", + "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"A TCP connection was detected\" or rule.category: \"A TCP connection was detected\")", + "risk_score": 0, + "rule_id": "ddf402cf-307d-4f46-a25d-dce3aee1ad13", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"A TCP connection was detected\" or rule.category: \"A TCP connection was detected\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_unknown_traffic.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_unknown_traffic.json index 28ae09a6cbe5c8..a260d049633b98 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_unknown_traffic.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_unknown_traffic.json @@ -1,17 +1,17 @@ { - "rule_id": "827ea90c-00c2-45f7-b873-dd060297b2d2", - "risk_score": 50, "description": "Suricata Category - Unknown Traffic", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Unknown Traffic", + "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Unknown Traffic\" or rule.category: \"Unknown Traffic\")", + "risk_score": 25, + "rule_id": "827ea90c-00c2-45f7-b873-dd060297b2d2", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Unknown Traffic\" or rule.category: \"Unknown Traffic\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_unsuccessful_user_privilege_gain.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_unsuccessful_user_privilege_gain.json index 5eba26752f7177..c57cc857cef676 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_unsuccessful_user_privilege_gain.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_unsuccessful_user_privilege_gain.json @@ -1,17 +1,17 @@ { - "rule_id": "85471d30-78c9-48f6-b2db-ab5b2547e450", - "risk_score": 50, "description": "Suricata Category - Unsuccessful User Privilege Gain", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Unsuccessful User Privilege Gain", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Unsuccessful User Privilege Gain\" or rule.category: \"Unsuccessful User Privilege Gain\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 50, + "rule_id": "85471d30-78c9-48f6-b2db-ab5b2547e450", + "severity": "high", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_web_application_attack.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_web_application_attack.json index 6cd7b2d87ac1aa..4014473971b8ef 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_web_application_attack.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_web_application_attack.json @@ -1,17 +1,17 @@ { - "rule_id": "e856918b-f26e-4893-84b9-3deb65046fb7", - "risk_score": 50, "description": "Suricata Category - Web Application Attack", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Web Application Attack", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Web Application Attack\" or rule.category: \"Web Application Attack\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 75, + "rule_id": "e856918b-f26e-4893-84b9-3deb65046fb7", + "severity": "high", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_cobaltstrike_artifact_in_an_dns_request.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_cobaltstrike_artifact_in_an_dns_request.json index bffcd182358398..e77e977d780d5e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_cobaltstrike_artifact_in_an_dns_request.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_cobaltstrike_artifact_in_an_dns_request.json @@ -1,17 +1,17 @@ { - "rule_id": "481ef0f5-beda-4fa2-8bfb-039c95500deb", - "risk_score": 50, "description": "Suricata CobaltStrike Artifact in an DNS Request", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata CobaltStrike Artifact in an DNS Request", - "severity": "low", - "type": "query", - "from": "now-6m", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2610166 or 2610167 or 2610168) or rule.id: (2610166 or 2610167 or 2610168))", + "risk_score": 100, + "rule_id": "481ef0f5-beda-4fa2-8bfb-039c95500deb", + "severity": "high", "to": "now", - "query": "(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610166 or 2610167 or 2610168)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_commonly_abused_dns_domain_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_commonly_abused_dns_domain_detected.json index 334a632697a817..a866c79a858224 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_commonly_abused_dns_domain_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_commonly_abused_dns_domain_detected.json @@ -1,17 +1,17 @@ { - "rule_id": "1844dfe1-b05e-4ca6-b367-6b9e3a1fe227", - "risk_score": 50, "description": "Suricata Commonly Abused DNS Domain Detected", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Commonly Abused DNS Domain Detected", + "query": " event.module:suricata and event.kind:alert and (suricata.eve.alert.signature:(TGI* and *HUNT* and *Abused* and *TLD*) or rule.description:(TGI* and *HUNT* and *Abused* and *TLD*))", + "risk_score": 25, + "rule_id": "1844dfe1-b05e-4ca6-b367-6b9e3a1fe227", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature:(TGI* and *HUNT* and *Abused* and *TLD*) and (event.module:suricata and event.kind:alert)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_reversal_characters_in_an_http_request.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_reversal_characters_in_an_http_request.json index 098b873210d6fa..862d5417fadcc4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_reversal_characters_in_an_http_request.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_reversal_characters_in_an_http_request.json @@ -1,17 +1,17 @@ { - "rule_id": "c0ca8090-60f8-4458-befe-c43687b648a3", - "risk_score": 50, "description": "Suricata Directory Reversal Characters in an HTTP Request", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Directory Reversal Characters in an HTTP Request", + "query": "(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610161 or 2610162)", + "risk_score": 50, + "rule_id": "c0ca8090-60f8-4458-befe-c43687b648a3", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610161 or 2610162)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_traversal_characters_in_an_http_request.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_traversal_characters_in_an_http_request.json new file mode 100644 index 00000000000000..73cb913e271a16 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_traversal_characters_in_an_http_request.json @@ -0,0 +1,38 @@ +{ + "description": "Suricata Directory Traversal Characters in an HTTP Request Header", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata Directory Traversal Characters in an HTTP Request Header", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2610161 or 2610162) or rule.id: (2610161 or 2610162))", + "references": [ + "https://github.com/travisbgreen/hunting-rules/blob/master/hunting.rules#L179-L184", + "This group of signatures detects directory traversal characters in a header of an HTTP request. This is not something you should see on a typical network and could indicate an attempt to exploit the web application." + ], + "risk_score": 50, + "rule_id": "7c663c8d-cdfd-4605-9dd6-d682fa4ade8c", + "severity": "medium", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_traversal_characters_in_http_response.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_traversal_characters_in_http_response.json index 3da22fcb912a88..c9d0db8ed300ee 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_traversal_characters_in_http_response.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_traversal_characters_in_http_response.json @@ -1,17 +1,38 @@ { - "rule_id": "a6406974-ea70-45b5-b5d8-ca17695adbde", - "risk_score": 50, "description": "Suricata Directory Traversal Characters in HTTP Response", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Directory Traversal Characters in HTTP Response", - "severity": "low", - "type": "query", - "from": "now-6m", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id:2610086 or rule.id:2610086)", + "references": [ + "https://github.com/travisbgreen/hunting-rules/blob/master/hunting.rules#L89", + "This group of signatures detects directory traversal characters in a header of an HTTP response. This is not something you should see on a typical network and could indicate an attempt to exploit the web application." + ], + "risk_score": 75, + "rule_id": "a6406974-ea70-45b5-b5d8-ca17695adbde", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], "to": "now", - "query": "suricata.eve.alert.signature_id:2610086 and (event.module:suricata and event.kind:alert)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_traversal_in_downloaded_zip_file.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_traversal_in_downloaded_zip_file.json index 370f9f6ba83fc4..65f8195751fc52 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_traversal_in_downloaded_zip_file.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_traversal_in_downloaded_zip_file.json @@ -1,17 +1,38 @@ { - "rule_id": "d5d990bc-303c-4241-8138-6ba3cf2ee93e", - "risk_score": 50, "description": "Suricata Directory Traversal in Downloaded Zip File", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Directory Traversal in Downloaded Zip File", - "severity": "low", - "type": "query", - "from": "now-6m", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id:2610085 or rule.id:2610085)", + "references": [ + "https://github.com/travisbgreen/hunting-rules/blob/master/hunting.rules#L88", + "This group of signatures detects directory traversal characters in a zip archive downloaded over the network. This is not something you should see on a typical network and could indicate an attempt to trick a user to overwrite system files." + ], + "risk_score": 75, + "rule_id": "d5d990bc-303c-4241-8138-6ba3cf2ee93e", + "severity": "medium", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "techniques": [ + { + "id": "T1204", + "name": "user execution", + "reference": "https://attack.mitre.org/techniques/T1204/" + } + ] + } + ], "to": "now", - "query": "suricata.eve.alert.signature_id:2610085 and (event.module:suricata and event.kind:alert)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_dns_traffic_on_unusual_tcp_port.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_dns_traffic_on_unusual_tcp_port.json index 9389897a95b872..bd73b822f9f495 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_dns_traffic_on_unusual_tcp_port.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_dns_traffic_on_unusual_tcp_port.json @@ -1,17 +1,38 @@ { - "rule_id": "deeae336-4ff7-4cf8-ae5b-18bce05da02e", - "risk_score": 50, - "description": "Suricata DNS Traffic on Unusual TCP Port", + "description": "Suricata DNS Traffic on Unusual Port (TCP or UDP)", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", - "name": "Suricata DNS Traffic on Unusual TCP Port", + "language": "kuery", + "name": "Suricata DNS Traffic on Unusual Port", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2610015 or 2610013) or rule.id: (2610015 or 2610013))", + "references": [ + "https://github.com/travisbgreen/hunting-rules/blob/master/hunting.rules#L14-L16", + "This detects DNS traffic running on an unusual port. This could indicate an application that is misconfigured or attempting to bypass security controls." + ], + "risk_score": 50, + "rule_id": "deeae336-4ff7-4cf8-ae5b-18bce05da02e", "severity": "low", - "type": "query", - "from": "now-6m", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "command and control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "techniques": [ + { + "id": "T1065", + "name": "uncommonly used port", + "reference": "https://attack.mitre.org/techniques/T1065/" + } + ] + } + ], "to": "now", - "query": "suricata.eve.alert.signature_id:2610013 and (event.module:suricata and event.kind:alert)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_dns_traffic_on_unusual_udp_port.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_dns_traffic_on_unusual_udp_port.json index a6bcf664bf803f..eb9b06f3cab145 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_dns_traffic_on_unusual_udp_port.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_dns_traffic_on_unusual_udp_port.json @@ -1,17 +1,17 @@ { - "rule_id": "2343d9a4-365b-45b2-acb0-76934d43c75b", - "risk_score": 50, "description": "Suricata DNS Traffic on Unusual UDP Port", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata DNS Traffic on Unusual UDP Port", + "query": "suricata.eve.alert.signature_id:2610015 and (event.module:suricata and event.kind:alert)", + "risk_score": 50, + "rule_id": "2343d9a4-365b-45b2-acb0-76934d43c75b", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610015 and (event.module:suricata and event.kind:alert)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_double_encoded_characters_in_a_uri.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_double_encoded_characters_in_a_uri.json index 005156b68ba982..eaed3aabed8f24 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_double_encoded_characters_in_a_uri.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_double_encoded_characters_in_a_uri.json @@ -1,17 +1,17 @@ { - "rule_id": "1ed4d2d1-330c-4c7d-b32d-2d8805437946", - "risk_score": 50, "description": "Suricata Double Encoded Characters in a URI", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Double Encoded Characters in a URI", + "query": "(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610092 or 2610093 or 2610094 or 2610095)", + "risk_score": 50, + "rule_id": "1ed4d2d1-330c-4c7d-b32d-2d8805437946", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610092 or 2610093 or 2610094 or 2610095)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_double_encoded_characters_in_an_http_post.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_double_encoded_characters_in_an_http_post.json index 2ff186a4026bba..136ea957be766e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_double_encoded_characters_in_an_http_post.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_double_encoded_characters_in_an_http_post.json @@ -1,17 +1,17 @@ { - "rule_id": "a839a360-94ae-4219-b1cc-458d836333a7", - "risk_score": 50, "description": "Suricata Double Encoded Characters in an HTTP POST", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Double Encoded Characters in an HTTP POST", + "query": "suricata.eve.alert.signature_id:2610090 and (event.module:suricata and event.kind:alert)", + "risk_score": 50, + "rule_id": "a839a360-94ae-4219-b1cc-458d836333a7", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610090 and (event.module:suricata and event.kind:alert)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_double_encoded_characters_in_http_request.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_double_encoded_characters_in_http_request.json new file mode 100644 index 00000000000000..3cbdb6da3c141f --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_double_encoded_characters_in_http_request.json @@ -0,0 +1,38 @@ +{ + "description": "Suricata Double Encoded Characters in a URI", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata Double Encoded Characters in a URI", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2610090 or 2610092 or 2610093 or 2610094 or 2610095) or rule.id: (2610090 or 2610092 or 2610093 or 2610094 or 2610095))", + "references": [ + "https://github.com/travisbgreen/hunting-rules/blob/master/hunting.rules", + "This group of signatures detects double encoding of characters in an HTTP request. This is not something you should see on a typical network and could indicate an attempt to exploit the web application or bypass detections." + ], + "risk_score": 25, + "rule_id": "8aedfe6f-9219-463b-808b-91e7ea8ea5e8", + "severity": "low", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_eval_php_function_in_an_http_request.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_eval_php_function_in_an_http_request.json index 16f47eb0ba663d..986ac161d70df1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_eval_php_function_in_an_http_request.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_eval_php_function_in_an_http_request.json @@ -1,17 +1,17 @@ { - "rule_id": "8c77b4ed-4e98-438b-adb0-d645d4a4ea26", - "risk_score": 50, "description": "Suricata eval PHP Function in an HTTP Request", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata eval PHP Function in an HTTP Request", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id:2610088 or rule.id: 2610088)", + "risk_score": 50, + "rule_id": "8c77b4ed-4e98-438b-adb0-d645d4a4ea26", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610088 and (event.module:suricata and event.kind:alert)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2018_1000861.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2018_1000861.json new file mode 100644 index 00000000000000..54b881428aa34c --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2018_1000861.json @@ -0,0 +1,35 @@ +{ + "description": "ET WEB_SPECIFIC_APPS Jenkins Chained Exploits CVE-2018-1000861 and CVE-2019-1003000", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET WEB_SPECIFIC_APPS Jenkins Chained Exploits CVE-2018-1000861 and CVE-2019-1003000", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027349 or 2027350) or rule.id: (2027349 or 2027350))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2018-1000861"], + "risk_score": 100, + "rule_id": "ada41f8a-92b1-49d0-80ac-c4bc28824ab5", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0227.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0227.json new file mode 100644 index 00000000000000..c050b73114bf52 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0227.json @@ -0,0 +1,35 @@ +{ + "description": "ATTACK [PTsecurity] Possible Apache Axis RCE via SSRF (CVE-2019-0227)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ATTACK [PTsecurity] Possible Apache Axis RCE via SSRF (CVE-2019-0227)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (10004698) or rule.id: (10004698))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-0227"], + "risk_score": 100, + "rule_id": "2c8f321c-ba84-4c16-80dd-f20ea06e0c6d", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0232.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0232.json new file mode 100644 index 00000000000000..9522a286f7898c --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0232.json @@ -0,0 +1,35 @@ +{ + "description": "ATTACK [PTsecurity] Apache Tomcat RCE on Windows (CVE-2019-0232)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ATTACK [PTsecurity] Apache Tomcat RCE on Windows (CVE-2019-0232)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (10004953) or rule.id: (10004953))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-0232"], + "risk_score": 100, + "rule_id": "fd7ef9a2-f010-49c1-8e08-31d84a9607dd", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0604.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0604.json new file mode 100644 index 00000000000000..95940a5396b943 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0604.json @@ -0,0 +1,35 @@ +{ + "description": "ET WEB_SPECIFIC_APPS Rails Arbitrary File Disclosure Attempt", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET WEB_SPECIFIC_APPS Rails Arbitrary File Disclosure Attempt", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027096) or rule.id: (2027096))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-0604"], + "risk_score": 100, + "rule_id": "ec50104d-26b1-45a6-b80e-768bd13cc34c", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0708.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0708.json new file mode 100644 index 00000000000000..401e1e815ea521 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0708.json @@ -0,0 +1,35 @@ +{ + "description": "ET EXPLOIT [NCC GROUP] Possible Bluekeep Inbound RDP Exploitation Attempt (CVE-2019-0708)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Possible Bluekeep Inbound RDP Exploitation Attempt (CVE-2019-0708)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (10004867 or 2027369) or rule.id: (10004867 or 2027369))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-0708"], + "risk_score": 100, + "rule_id": "1589bff6-ec82-4acf-8f67-68ef0f3676d0", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0752.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0752.json new file mode 100644 index 00000000000000..5f256681aedd9f --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0752.json @@ -0,0 +1,35 @@ +{ + "description": "ET EXPLOIT IE Scripting Engine Memory Corruption Vulnerability (CVE-2019-0752)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET EXPLOIT IE Scripting Engine Memory Corruption Vulnerability (CVE-2019-0752)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027721) or rule.id: (2027721))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-0752"], + "risk_score": 100, + "rule_id": "5aa5f6db-2cc7-43de-ac8b-c7daa52ba9c3", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_1003000.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_1003000.json new file mode 100644 index 00000000000000..c470783b0266d3 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_1003000.json @@ -0,0 +1,35 @@ +{ + "description": "ET WEB_SPECIFIC_APPS Jenkins RCE CVE-2019-1003000", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET WEB_SPECIFIC_APPS Jenkins RCE CVE-2019-1003000", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027349 or 2027350 or 2027346) or rule.id: (2027349 or 2027350 or 2027346))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-1003000"], + "risk_score": 100, + "rule_id": "6deba829-00ac-4298-bc80-976e4ef215d2", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_10149.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_10149.json new file mode 100644 index 00000000000000..2c18ecc3104fd2 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_10149.json @@ -0,0 +1,35 @@ +{ + "description": "ET EXPLOIT Possible Exim 4.87-4.91 RCE Attempt Inbound (CVE-2019-10149", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET EXPLOIT Possible Exim 4.87-4.91 RCE Attempt Inbound (CVE-2019-10149", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027442) or rule.id: (2027442))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-10149"], + "risk_score": 100, + "rule_id": "e52d833a-0642-4076-89e9-6b7263361cee", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11043.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11043.json new file mode 100644 index 00000000000000..0e2c8cfa7339d2 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11043.json @@ -0,0 +1,35 @@ +{ + "description": "ET WEB_SERVER Possible PHP Remote Code Execution CVE-2019-11043 PoC (Inbound)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET WEB_SERVER Possible PHP Remote Code Execution CVE-2019-11043 PoC (Inbound)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2028895) or rule.id: (2028895))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-11043"], + "risk_score": 100, + "rule_id": "7955c692-1259-4f77-aa9e-95a98b69d4aa", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11510.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11510.json new file mode 100644 index 00000000000000..65a6874f09932a --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11510.json @@ -0,0 +1,35 @@ +{ + "description": "ET EXPLOIT Pulse Secure SSL VPN - Arbitrary File Read (CVE-2019-11510)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET EXPLOIT Pulse Secure SSL VPN - Arbitrary File Read (CVE-2019-11510)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027904) or rule.id: (2027904))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-11510"], + "risk_score": 100, + "rule_id": "d2dbbfee-2104-4d20-b562-d466b0b2c5ef", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11580.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11580.json new file mode 100644 index 00000000000000..6e3e8bc8cdbb72 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11580.json @@ -0,0 +1,35 @@ +{ + "description": "ET WEB_SPECIFIC_APPS Atlassian Crowd Plugin Upload Attempt (CVE-2019-11580)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET WEB_SPECIFIC_APPS Atlassian Crowd Plugin Upload Attempt (CVE-2019-11580)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027712) or rule.id: (2027712))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-11580"], + "risk_score": 100, + "rule_id": "f6e6c803-b44c-44b1-acbb-cd3e5bca10f8", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11581.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11581.json new file mode 100644 index 00000000000000..34b93871fa10b6 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11581.json @@ -0,0 +1,35 @@ +{ + "description": "ET WEB_SPECIFIC_APPS Atlassian JIRA Template Injection RCE (CVE-2019-11581", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET WEB_SPECIFIC_APPS Atlassian JIRA Template Injection RCE (CVE-2019-11581", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027711) or rule.id: (2027711))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-11581"], + "risk_score": 100, + "rule_id": "720663fb-23da-43a5-bf4f-907265e5426d", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_13450.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_13450.json new file mode 100644 index 00000000000000..ae014db82194eb --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_13450.json @@ -0,0 +1,35 @@ +{ + "description": "ET EXPLOIT Possible Zoom Client Auto-Join (CVE-2019-13450", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET EXPLOIT Possible Zoom Client Auto-Join (CVE-2019-13450", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027696) or rule.id: (2027696))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-13450"], + "risk_score": 100, + "rule_id": "04a9d926-51bb-4981-8116-04ee63f1ad75", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_13505.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_13505.json new file mode 100644 index 00000000000000..5a70886a844699 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_13505.json @@ -0,0 +1,35 @@ +{ + "description": "ET WEB_SPECIFIC_APPS Appointment Hour Booking - WordPress Plugin - Stored XSS (CVE-2019-13505)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET WEB_SPECIFIC_APPS Appointment Hour Booking - WordPress Plugin - Stored XSS (CVE-2019-13505)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027706) or rule.id: (2027706))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-13505"], + "risk_score": 100, + "rule_id": "7b47f6a7-ae2a-46a1-a718-641649dfbfd6", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_15107.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_15107.json new file mode 100644 index 00000000000000..cbede3be1782bf --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_15107.json @@ -0,0 +1,35 @@ +{ + "description": "ET WEB_SERVER Webmin RCE CVE-2019-15107", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET WEB_SERVER Webmin RCE CVE-2019-15107", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027896) or rule.id: (2027896))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-15107"], + "risk_score": 100, + "rule_id": "37f923c4-048d-4a17-b804-b4f895477962", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_15846.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_15846.json new file mode 100644 index 00000000000000..99ac06aa715aab --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_15846.json @@ -0,0 +1,35 @@ +{ + "description": "ET EXPLOIT Possible EXIM RCE Inbound (CVE-2019-15846)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET EXPLOIT Possible EXIM RCE Inbound (CVE-2019-15846)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027959 or 2027960) or rule.id: (2027959 or 2027960))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-15846"], + "risk_score": 100, + "rule_id": "1d625e03-a21b-40c8-82c0-edb497a48254", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16072.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16072.json new file mode 100644 index 00000000000000..0fe9cde7307e8c --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16072.json @@ -0,0 +1,35 @@ +{ + "description": "ET EXPLOIT Enigma Network Management Systems v65.0.0 CVE-2019-16072 (Outbound)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET EXPLOIT Enigma Network Management Systems v65.0.0 CVE-2019-16072 (Outbound)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2029159 or 2029158) or rule.id: (2029159 or 2029158))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-16072"], + "risk_score": 100, + "rule_id": "5cf97dad-2327-4010-8498-64e5d53fd317", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_1652.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_1652.json new file mode 100644 index 00000000000000..254c6019a039d3 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_1652.json @@ -0,0 +1,35 @@ +{ + "description": "ET EXPLOIT Possible Cisco RV320 RCE Attempt (CVE-2019-1652)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET EXPLOIT Possible Cisco RV320 RCE Attempt (CVE-2019-1652)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2026860) or rule.id: (2026860))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-1652"], + "risk_score": 100, + "rule_id": "ed220bf3-6617-41c3-8a03-8726d17e3dfc", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16662.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16662.json new file mode 100644 index 00000000000000..d804e7dc181739 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16662.json @@ -0,0 +1,35 @@ +{ + "description": "ET EXPLOIT Possible rConfig 3.9.2 Remote Code Execution PoC (CVE-2019-16662)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET EXPLOIT Possible rConfig 3.9.2 Remote Code Execution PoC (CVE-2019-16662)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2028933) or rule.id: (2028933))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-16662"], + "risk_score": 100, + "rule_id": "777097d9-059e-409f-9509-67d7f90aea8c", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16759.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16759.json new file mode 100644 index 00000000000000..7ceebbe31c0ea2 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16759.json @@ -0,0 +1,35 @@ +{ + "description": "ET EXPLOIT vBulletin 5.x Unauthenticated Remote Code Execution (CVE-2019-16759)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET EXPLOIT vBulletin 5.x Unauthenticated Remote Code Execution (CVE-2019-16759)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2028621 or 2028625 or 2028826) or rule.id: (2028621 or 2028625 or 2028826))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-16759"], + "risk_score": 100, + "rule_id": "145634a6-6d3d-4e78-bd51-ffe6f69f6bbb", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16928.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16928.json new file mode 100644 index 00000000000000..2c970e3248a642 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16928.json @@ -0,0 +1,35 @@ +{ + "description": "ET EXPLOIT Possible EXIM DoS (CVE-2019-16928)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET EXPLOIT Possible EXIM DoS (CVE-2019-16928)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2028636) or rule.id: (2028636))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-16928"], + "risk_score": 100, + "rule_id": "39bb4ff1-ec7c-4379-9a07-ad24b83060bf", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_17270.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_17270.json new file mode 100644 index 00000000000000..2ed70492f52cad --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_17270.json @@ -0,0 +1,35 @@ +{ + "description": "ET EXPLOIT Yachtcontrol Webservers RCE CVE-2019-17270", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET EXPLOIT Yachtcontrol Webservers RCE CVE-2019-17270", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2029153 or 2029152) or rule.id: (2029153 or 2029152))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-17270"], + "risk_score": 100, + "rule_id": "e6f42ad9-c024-46de-99d8-492d780cdd5e", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_1821.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_1821.json new file mode 100644 index 00000000000000..9c84f3042e86ce --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_1821.json @@ -0,0 +1,35 @@ +{ + "description": "ET WEB_SPECIFIC_APPS Cisco Prime Infrastruture RCE - CVE-2019-1821", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET WEB_SPECIFIC_APPS Cisco Prime Infrastruture RCE - CVE-2019-1821", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027368) or rule.id: (2027368))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-1821"], + "risk_score": 100, + "rule_id": "5aed0105-a86a-4502-9a8b-169ee24b0c7f", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_19781.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_19781.json new file mode 100644 index 00000000000000..2ee5d4bff1cbe5 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_19781.json @@ -0,0 +1,35 @@ +{ + "description": "ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781) M2", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781) M2", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2029206 or 2029255) or rule.id: (2029206 or 2029255))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-19781"], + "risk_score": 100, + "rule_id": "6fde4e79-bf78-4173-b395-73377e289a73", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_2618.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_2618.json new file mode 100644 index 00000000000000..7ca97786945ff1 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_2618.json @@ -0,0 +1,35 @@ +{ + "description": "ATTACK [PTsecurity] Oracle Weblogic file upload RCE (CVE-2019-2618)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ATTACK [PTsecurity] Oracle Weblogic file upload RCE (CVE-2019-2618)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (10004781) or rule.id: (10004781))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-2618"], + "risk_score": 100, + "rule_id": "7ba6a778-647c-4506-8314-8206cf31f513", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_2725.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_2725.json new file mode 100644 index 00000000000000..66a7c63c9b3735 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_2725.json @@ -0,0 +1,35 @@ +{ + "description": "ATTACK [PTsecurity] Oracle Weblogic _async deserialization RCE Attempt (CVE-2019-2725)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ATTACK [PTsecurity] Oracle Weblogic _async deserialization RCE Attempt (CVE-2019-2725)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (10004779 or 10004927) or rule.id: (10004779 or 10004927))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-2725"], + "risk_score": 100, + "rule_id": "f7879284-38e9-40d4-a471-6e1b38fd5a9f", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_3396.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_3396.json new file mode 100644 index 00000000000000..b4a0f0284665dd --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_3396.json @@ -0,0 +1,35 @@ +{ + "description": "ET WEB_CLIENT Possible Confluence SSTI Exploitation Attempt - Leads to RCE/LFI (CVE-2019-3396)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET WEB_CLIENT Possible Confluence SSTI Exploitation Attempt - Leads to RCE/LFI (CVE-2019-3396)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (10004699 or 2027333) or rule.id: (10004699 or 2027333))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-3396"], + "risk_score": 100, + "rule_id": "d51ce0e4-31fa-4ffb-a1a6-7f9fa386ea52", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_3929.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_3929.json new file mode 100644 index 00000000000000..ae6e48baa0fa6a --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_3929.json @@ -0,0 +1,35 @@ +{ + "description": "ET EXPLOIT Attempted Remote Command Injection Outbound (CVE-2019-3929)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET EXPLOIT Attempted Remote Command Injection Outbound (CVE-2019-3929)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027451 or 2027450) or rule.id: (2027451 or 2027450))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-3929"], + "risk_score": 100, + "rule_id": "0a6fefd6-22dd-4c78-aba8-e949b04360b4", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_5533.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_5533.json new file mode 100644 index 00000000000000..42d9793336ae36 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_5533.json @@ -0,0 +1,35 @@ +{ + "description": "ET EXPLOIT VMware VeloCloud Authorization Bypass (CVE-2019-5533)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET EXPLOIT VMware VeloCloud Authorization Bypass (CVE-2019-5533)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2028928) or rule.id: (2028928))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-5533"], + "risk_score": 100, + "rule_id": "65012760-1f26-47a3-b2d3-a685d638483f", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_6340.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_6340.json new file mode 100644 index 00000000000000..cd55b6be262dcb --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_6340.json @@ -0,0 +1,35 @@ +{ + "description": "ATTACK [PTsecurity] Arbitrary PHP RCE in Drupal 8 < 8.5.11,8.6.10 (CVE-2019-6340)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ATTACK [PTsecurity] Arbitrary PHP RCE in Drupal 8 < 8.5.11,8.6.10 (CVE-2019-6340)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (10004555) or rule.id: (10004555))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-6340"], + "risk_score": 100, + "rule_id": "4b2b4879-45c6-4721-b058-143f07aa474f", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_7256.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_7256.json new file mode 100644 index 00000000000000..e8cfcb0cfc7916 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_7256.json @@ -0,0 +1,35 @@ +{ + "description": "ET EXPLOIT Linear eMerge E3 Unauthenticated Command Injection Inbound (CVE-2019-7256)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET EXPLOIT Linear eMerge E3 Unauthenticated Command Injection Inbound (CVE-2019-7256)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2029207) or rule.id: (2029207))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-7256"], + "risk_score": 100, + "rule_id": "8ef47e09-39f5-494a-82b7-3aca4310ea96", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_9978.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_9978.json new file mode 100644 index 00000000000000..0537004ae4b2d5 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_9978.json @@ -0,0 +1,35 @@ +{ + "description": "ET WEB_CLIENT Attempted RCE in Wordpress Social Warfare Plugin Inbound (CVE-2019-9978", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET WEB_CLIENT Attempted RCE in Wordpress Social Warfare Plugin Inbound (CVE-2019-9978", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027315) or rule.id: (2027315))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-9978"], + "risk_score": 100, + "rule_id": "6b185518-b84a-44b7-843c-01c95b5a2a83", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_ftp_traffic_on_unusual_port_internet_destination.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_ftp_traffic_on_unusual_port_internet_destination.json index 40ada9bb874259..8c36a7052a720a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_ftp_traffic_on_unusual_port_internet_destination.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_ftp_traffic_on_unusual_port_internet_destination.json @@ -1,17 +1,17 @@ { - "rule_id": "b1adc850-0fe3-4dac-94d3-6f240071f83a", - "risk_score": 50, "description": "Suricata FTP Traffic on Unusual Port, Internet Destination", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata FTP Traffic on Unusual Port, Internet Destination", + "query": "suricata.eve.alert.signature_id:2610005 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "b1adc850-0fe3-4dac-94d3-6f240071f83a", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610005 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_http_traffic_on_unusual_port_internet_destination.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_http_traffic_on_unusual_port_internet_destination.json index 8da00c75cedc3b..72228ce1215755 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_http_traffic_on_unusual_port_internet_destination.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_http_traffic_on_unusual_port_internet_destination.json @@ -1,17 +1,17 @@ { - "rule_id": "43795909-913c-419d-8355-7f2880694bec", - "risk_score": 50, "description": "Suricata HTTP Traffic On Unusual Port, Internet Destination", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata HTTP Traffic On Unusual Port, Internet Destination", + "query": " suricata.eve.alert.signature_id:2610001 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "43795909-913c-419d-8355-7f2880694bec", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " suricata.eve.alert.signature_id:2610001 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_imap_traffic_on_unusual_port_internet_destination.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_imap_traffic_on_unusual_port_internet_destination.json index 4f7bfc2baaf37a..1f06fbb0a337db 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_imap_traffic_on_unusual_port_internet_destination.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_imap_traffic_on_unusual_port_internet_destination.json @@ -1,17 +1,17 @@ { - "rule_id": "738ee70b-7d0f-438f-98ac-a393df58c58f", - "risk_score": 50, "description": "Suricata IMAP Traffic on Unusual Port, internet Destination", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata IMAP Traffic on Unusual Port, internet Destination", + "query": "suricata.eve.alert.signature_id:2610009 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "738ee70b-7d0f-438f-98ac-a393df58c58f", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610009 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_lazagne_artifact_in_an_http_post.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_lazagne_artifact_in_an_http_post.json index ed46470838069b..9c2d818b88c5d3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_lazagne_artifact_in_an_http_post.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_lazagne_artifact_in_an_http_post.json @@ -1,17 +1,17 @@ { - "rule_id": "c6e6f16f-66de-43d5-8ab7-599af536dedf", - "risk_score": 50, "description": "Suricata LaZagne Artifact in an HTTP POST", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata LaZagne Artifact in an HTTP POST", + "query": "(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610149 or 2610150)", + "risk_score": 50, + "rule_id": "c6e6f16f-66de-43d5-8ab7-599af536dedf", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610149 or 2610150)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_mimikatz_artifacts_in_an_http_post.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_mimikatz_artifacts_in_an_http_post.json index b3a8079c16f11d..0cbf4092bfa31d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_mimikatz_artifacts_in_an_http_post.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_mimikatz_artifacts_in_an_http_post.json @@ -1,17 +1,17 @@ { - "rule_id": "1b62e8af-c10d-4708-9a74-118cb1c9ed8a", - "risk_score": 50, "description": "Suricata Mimikatz Artifacts in an HTTP POST", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Mimikatz Artifacts in an HTTP POST", + "query": "suricata.eve.alert.signature_id:2610155 and (event.module:suricata and event.kind:alert)", + "risk_score": 50, + "rule_id": "1b62e8af-c10d-4708-9a74-118cb1c9ed8a", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610155 and (event.module:suricata and event.kind:alert)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_mimikatz_string_detected_in_http_response.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_mimikatz_string_detected_in_http_response.json index c72f6b348e2593..730aaa63ab07db 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_mimikatz_string_detected_in_http_response.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_mimikatz_string_detected_in_http_response.json @@ -1,17 +1,17 @@ { - "rule_id": "2b365d3a-11a3-4bec-9698-b36c908f46ff", - "risk_score": 50, "description": "Suricata Mimikatz String Detected in HTTP Response", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Mimikatz String Detected in HTTP Response", + "query": "(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610144 or 2610145 or 2610146 or 2610147 or 2610148)", + "risk_score": 50, + "rule_id": "2b365d3a-11a3-4bec-9698-b36c908f46ff", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610144 or 2610145 or 2610146 or 2610147 or 2610148)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nondns_traffic_on_tcp_port_53.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nondns_traffic_on_tcp_port_53.json index 66eff77cf43bcd..96f180fee09902 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nondns_traffic_on_tcp_port_53.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nondns_traffic_on_tcp_port_53.json @@ -1,17 +1,17 @@ { - "rule_id": "67c7d28e-8be4-49ae-9c89-5c328ea245dc", - "risk_score": 50, "description": "Suricata non-DNS Traffic on TCP Port 53", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata non-DNS Traffic on TCP Port 53", + "query": "suricata.eve.alert.signature_id:2610014 and (event.module:suricata and event.kind:alert)", + "risk_score": 50, + "rule_id": "67c7d28e-8be4-49ae-9c89-5c328ea245dc", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610014 and (event.module:suricata and event.kind:alert)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nondns_traffic_on_udp_port_53.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nondns_traffic_on_udp_port_53.json index e09a4357ba5d45..95458f14b0b2c6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nondns_traffic_on_udp_port_53.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nondns_traffic_on_udp_port_53.json @@ -1,17 +1,17 @@ { - "rule_id": "ba6dea7f-ba98-4a86-b570-d05d85472e79", - "risk_score": 50, "description": "Suricata non-DNS Traffic on UDP Port 53", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata non-DNS Traffic on UDP Port 53", + "query": "suricata.eve.alert.signature_id:2610016 and (event.module:suricata and event.kind:alert)", + "risk_score": 50, + "rule_id": "ba6dea7f-ba98-4a86-b570-d05d85472e79", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610016 and (event.module:suricata and event.kind:alert)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonftp_traffic_on_port_21.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonftp_traffic_on_port_21.json index 405be74eb83400..42bcc2fa1bca19 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonftp_traffic_on_port_21.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonftp_traffic_on_port_21.json @@ -1,17 +1,17 @@ { - "rule_id": "ee2b07ec-94dd-48b2-b46b-7bef47cc43fc", - "risk_score": 50, "description": "Suricata non-FTP Traffic on Port 21", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata non-FTP Traffic on Port 21", + "query": "suricata.eve.alert.signature_id:2610006 and (event.module:suricata and event.kind:alert)", + "risk_score": 50, + "rule_id": "ee2b07ec-94dd-48b2-b46b-7bef47cc43fc", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610006 and (event.module:suricata and event.kind:alert)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonhttp_traffic_on_tcp_port_80.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonhttp_traffic_on_tcp_port_80.json index cd93ceec2374fb..af681646e8224f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonhttp_traffic_on_tcp_port_80.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonhttp_traffic_on_tcp_port_80.json @@ -1,17 +1,17 @@ { - "rule_id": "70f9bd9f-accc-4da8-8674-38992096ddba", - "risk_score": 50, "description": "Suricata non-HTTP Traffic on TCP Port 80", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata non-HTTP Traffic on TCP Port 80", + "query": "suricata.eve.alert.signature_id:2610002 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "70f9bd9f-accc-4da8-8674-38992096ddba", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610002 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonimap_traffic_on_port_1443_imap.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonimap_traffic_on_port_1443_imap.json index 39e5fd188aa4a7..548b35165028c3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonimap_traffic_on_port_1443_imap.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonimap_traffic_on_port_1443_imap.json @@ -1,17 +1,17 @@ { - "rule_id": "241b6a1d-4f73-4b68-bd98-22e909681930", - "risk_score": 50, "description": "Suricata non-IMAP Traffic on Port 1443 (IMAP)", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata non-IMAP Traffic on Port 1443 (IMAP)", + "query": "suricata.eve.alert.signature_id:2610010 and (event.module:suricata and event.kind:alert)", + "risk_score": 50, + "rule_id": "241b6a1d-4f73-4b68-bd98-22e909681930", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610010 and (event.module:suricata and event.kind:alert)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonsmb_traffic_on_tcp_port_139_smb.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonsmb_traffic_on_tcp_port_139_smb.json index 0fd1c59a3bc629..a7e57103c633d9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonsmb_traffic_on_tcp_port_139_smb.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonsmb_traffic_on_tcp_port_139_smb.json @@ -1,17 +1,17 @@ { - "rule_id": "c259ab53-4b1a-42f6-b204-fe057c521515", - "risk_score": 50, "description": "Suricata non-SMB Traffic on TCP Port 139 (SMB)", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata non-SMB Traffic on TCP Port 139 (SMB)", + "query": "suricata.eve.alert.signature_id:2610011 and (event.module:suricata and event.kind:alert)", + "risk_score": 50, + "rule_id": "c259ab53-4b1a-42f6-b204-fe057c521515", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610011 and (event.module:suricata and event.kind:alert)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonssh_traffic_on_port_22.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonssh_traffic_on_port_22.json index 3d1cc2e61b1a9c..3e07bd7a97cb85 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonssh_traffic_on_port_22.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonssh_traffic_on_port_22.json @@ -1,17 +1,17 @@ { - "rule_id": "256e9e8b-8366-4f23-8cbe-c9eb5ba25633", - "risk_score": 50, "description": "Suricata non-SSH Traffic on Port 22", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata non-SSH Traffic on Port 22", + "query": "suricata.eve.alert.signature_id:2610008 and (event.module:suricata and event.kind:alert)", + "risk_score": 50, + "rule_id": "256e9e8b-8366-4f23-8cbe-c9eb5ba25633", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610008 and (event.module:suricata and event.kind:alert)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nontls_on_tls_port.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nontls_on_tls_port.json index 1fd905e6e4647b..16dc9f46f0e32e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nontls_on_tls_port.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nontls_on_tls_port.json @@ -1,17 +1,17 @@ { - "rule_id": "b060c87f-af49-40eb-acee-561a1f1331aa", - "risk_score": 50, "description": "Suricata non-TLS on TLS Port", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata non-TLS on TLS Port", + "query": "suricata.eve.alert.signature_id:2610004 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "b060c87f-af49-40eb-acee-561a1f1331aa", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610004 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_possible_cobalt_strike_malleable_c2_null_response.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_possible_cobalt_strike_malleable_c2_null_response.json index a6534d72a9655b..e8bc59f1b5268a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_possible_cobalt_strike_malleable_c2_null_response.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_possible_cobalt_strike_malleable_c2_null_response.json @@ -1,17 +1,17 @@ { - "rule_id": "6099a760-7293-4e26-8aa8-b984abb32ac6", - "risk_score": 50, "description": "Suricata Possible Cobalt Strike Malleable C2 Null Response", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Possible Cobalt Strike Malleable C2 Null Response", + "query": "(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610202 or 2610203)", + "risk_score": 50, + "rule_id": "6099a760-7293-4e26-8aa8-b984abb32ac6", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610202 or 2610203)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_possible_sql_injection_sql_commands_in_http_transactions.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_possible_sql_injection_sql_commands_in_http_transactions.json index 0a8b4a9861f9be..8b208e5586726a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_possible_sql_injection_sql_commands_in_http_transactions.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_possible_sql_injection_sql_commands_in_http_transactions.json @@ -1,17 +1,17 @@ { - "rule_id": "cdfbcd5e-1d8e-47e6-b3f2-b09bce780640", - "risk_score": 50, "description": "Suricata Possible SQL Injection - SQL Commands in HTTP Transactions", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Possible SQL Injection - SQL Commands in HTTP Transactions", + "query": "(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610117 or 2610118 or 2610118 or 2610119 or 2610121 or 2610122 or 2610123)", + "risk_score": 50, + "rule_id": "cdfbcd5e-1d8e-47e6-b3f2-b09bce780640", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610117 or 2610118 or 2610118 or 2610119 or 2610121 or 2610122 or 2610123)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_rpc_traffic_on_http_ports.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_rpc_traffic_on_http_ports.json index 4431f46125ef3e..fe3d500b42d3e9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_rpc_traffic_on_http_ports.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_rpc_traffic_on_http_ports.json @@ -1,17 +1,17 @@ { - "rule_id": "87e77fb6-b555-43be-adc5-f57c6aaf7cd0", - "risk_score": 50, "description": "Suricata RPC Traffic on HTTP Ports", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata RPC Traffic on HTTP Ports", + "query": "suricata.eve.alert.signature_id:2610012 and (event.module:suricata and event.kind:alert)", + "risk_score": 50, + "rule_id": "87e77fb6-b555-43be-adc5-f57c6aaf7cd0", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610012 and (event.module:suricata and event.kind:alert)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_serialized_php_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_serialized_php_detected.json index a176be109f8ffa..a59cc42fa4557f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_serialized_php_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_serialized_php_detected.json @@ -1,17 +1,17 @@ { - "rule_id": "3baa5b65-d11e-40fb-a9b4-6b2a6a062d48", - "risk_score": 50, "description": "Suricata Serialized PHP Detected", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Serialized PHP Detected", + "query": "suricata.eve.alert.signature_id:2610091 and (event.module:suricata and event.kind:alert)", + "risk_score": 50, + "rule_id": "3baa5b65-d11e-40fb-a9b4-6b2a6a062d48", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610091 and (event.module:suricata and event.kind:alert)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_shell_exec_php_function_in_an_http_post.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_shell_exec_php_function_in_an_http_post.json index c1fdb1c083789e..e4fd0e866e7cf9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_shell_exec_php_function_in_an_http_post.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_shell_exec_php_function_in_an_http_post.json @@ -1,17 +1,17 @@ { - "rule_id": "082fca48-4707-485a-aedb-340ee77e0687", - "risk_score": 50, "description": "Suricata shell_exec PHP Function in an HTTP POST", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata shell_exec PHP Function in an HTTP POST", + "query": "suricata.eve.alert.signature_id:2610087 and (event.module:suricata and event.kind:alert)", + "risk_score": 50, + "rule_id": "082fca48-4707-485a-aedb-340ee77e0687", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610087 and (event.module:suricata and event.kind:alert)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_ssh_traffic_not_on_port_22_internet_destination.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_ssh_traffic_not_on_port_22_internet_destination.json index ee0510d1e37ac1..a22c3a4fdfdd40 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_ssh_traffic_not_on_port_22_internet_destination.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_ssh_traffic_not_on_port_22_internet_destination.json @@ -1,17 +1,17 @@ { - "rule_id": "82265eef-1212-4c4f-af04-f977a3060592", - "risk_score": 50, "description": "Suricata SSH Traffic Not on Port 22, Internet Destination", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata SSH Traffic Not on Port 22, Internet Destination", + "query": "suricata.eve.alert.signature_id:2610007 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "82265eef-1212-4c4f-af04-f977a3060592", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610007 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_tls_traffic_on_unusual_port_internet_destination.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_tls_traffic_on_unusual_port_internet_destination.json index 3d0d5175168f1e..23f1f79bc42487 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_tls_traffic_on_unusual_port_internet_destination.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_tls_traffic_on_unusual_port_internet_destination.json @@ -1,17 +1,17 @@ { - "rule_id": "6c1db8ba-db4b-4513-a0e3-b3c857ba8b05", - "risk_score": 50, "description": "Suricata TLS Traffic on Unusual Port, Internet Destination", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata TLS Traffic on Unusual Port, Internet Destination", + "query": "suricata.eve.alert.signature_id:2610003 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "6c1db8ba-db4b-4513-a0e3-b3c857ba8b05", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610003 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_windows_executable_served_by_jpeg_web_content.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_windows_executable_served_by_jpeg_web_content.json index 7ab997b11fb263..9717beac902e5f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_windows_executable_served_by_jpeg_web_content.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_windows_executable_served_by_jpeg_web_content.json @@ -1,17 +1,17 @@ { - "rule_id": "f7f038f4-b97a-4d0c-b3b6-d5fa1ad15951", - "risk_score": 50, "description": "Suricata Windows Executable Served by JPEG Web Content", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Windows Executable Served by JPEG Web Content", + "query": "suricata.eve.alert.signature_id:2610084 and (event.module:suricata and event.kind:alert)", + "risk_score": 50, + "rule_id": "f7f038f4-b97a-4d0c-b3b6-d5fa1ad15951", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610084 and (event.module:suricata and event.kind:alert)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suspicious_process_started_by_a_script.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suspicious_process_started_by_a_script.json index 43e246cf7c26f2..37cf174786f975 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suspicious_process_started_by_a_script.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suspicious_process_started_by_a_script.json @@ -1,29 +1,22 @@ { - "rule_id": "e49b532b-3e52-4f3d-90f6-05a86982d347", - "risk_score": 50, "description": "Suspicious process started by a script", - "immutable": true, - "interval": "5m", - "name": "Suspicious process started by a script", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", - "query": "(process.parent.name:cmd.exe or process.parent.name:cscript.exe or process.parent.name:mshta.exe or process.parent.name:powershell.exe or process.parent.name:rundll32.exe or process.parent.name:wscript.exe or process.parent.name:wmiprvse.exe) and (process.name:bitsadmin.exe or process.name:certutil.exe or mshta.exe or process.name:nslookup.exe or process.name:schtasks.exe)", - "language": "kuery", + "enabled": false, "filters": [ { + "$state": { + "store": "appState" + }, "meta": { - "negate": false, - "type": "phrase", + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "key": "event.action", - "value": "Process Create (rule: ProcessCreate)", + "negate": false, "params": { "query": "Process Create (rule: ProcessCreate)" }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" + "type": "phrase", + "value": "Process Create (rule: ProcessCreate)" }, "query": { "match": { @@ -32,12 +25,19 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } } ], - "enabled": false, + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suspicious process started by a script", + "query": "(process.parent.name:cmd.exe or process.parent.name:cscript.exe or process.parent.name:mshta.exe or process.parent.name:powershell.exe or process.parent.name:rundll32.exe or process.parent.name:wscript.exe or process.parent.name:wmiprvse.exe) and (process.name:bitsadmin.exe or process.name:certutil.exe or mshta.exe or process.name:nslookup.exe or process.name:schtasks.exe)", + "risk_score": 50, + "rule_id": "e49b532b-3e52-4f3d-90f6-05a86982d347", + "severity": "low", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json index 5842b67076edda..301954fc587452 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "7edadee3-98ae-472c-b1c4-8c0a2c4877cc", - "risk_score": 50, "description": "Windows: Background Intelligent Transfer Service (BITS) Connecting to the Internet", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows: Background Intelligent Transfer Service (BITS) Connecting to the Internet", + "query": "process.name:bitsadmin.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "7edadee3-98ae-472c-b1c4-8c0a2c4877cc", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:bitsadmin.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_burp_ce_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_burp_ce_activity.json index 4d87d53eb246d1..22429df353679c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_burp_ce_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_burp_ce_activity.json @@ -1,17 +1,17 @@ { - "rule_id": "0f09845b-2ec8-4770-8155-7df3d4e402cc", - "risk_score": 50, "description": "Windows Burp CE activity", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Burp CE activity", + "query": "process.name:BurpSuiteCommunity.exe", + "risk_score": 50, + "rule_id": "0f09845b-2ec8-4770-8155-7df3d4e402cc", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:BurpSuiteCommunity.exe", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_connecting_to_the_internet.json index 2e0c9e2b71ae64..6cf9a375586bae 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_connecting_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "1a2cf526-6784-4c51-a2b9-f0adcc05d85c", - "risk_score": 50, "description": "Windows: Certutil Connecting to the Internet", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows: Certutil Connecting to the Internet", + "query": "process.name:certutil.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "1a2cf526-6784-4c51-a2b9-f0adcc05d85c", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:certutil.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json index 3a0e9a2f355669..c404bf7a05c85e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696", - "risk_score": 50, "description": "Windows: Command Prompt Connecting to the Internet", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows: Command Prompt Connecting to the Internet", + "query": "process.name:cmd.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:cmd.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_internet_explorer.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_internet_explorer.json new file mode 100644 index 00000000000000..1bcad8ae016ef8 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_internet_explorer.json @@ -0,0 +1,16 @@ +{ + "description": "Command shell started by Internet Explorer", + "enabled": false, + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Command shell started by Internet Explorer", + "query": "process.parent.name:iexplore.exe and process.name:cmd.exe", + "risk_score": 50, + "rule_id": "7a6e1e81-deae-4cf6-b807-9a768fff3c06", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json new file mode 100644 index 00000000000000..faa9694f658ff0 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json @@ -0,0 +1,16 @@ +{ + "description": "Command shell started by Powershell", + "enabled": false, + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Command shell started by Powershell", + "query": "process.parent.name:powershell.exe and process.name:cmd.exe", + "risk_score": 50, + "rule_id": "0f616aee-8161-4120-857e-742366f5eeb3", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json new file mode 100644 index 00000000000000..aa371fea3f01d2 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json @@ -0,0 +1,16 @@ +{ + "description": "Command shell started by Svchost", + "enabled": false, + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Command shell started by Svchost", + "query": "process.parent.name:svchost.exe and process.name:cmd.exe", + "risk_score": 50, + "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_commands.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_commands.json index 2273249c49b615..dec76deb3e8880 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_commands.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_commands.json @@ -1,17 +1,17 @@ { - "rule_id": "66885745-ea38-432c-9edb-599b943948d4", - "risk_score": 50, "description": "Windows Credential Dumping Commands", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Credential Dumping Commands", + "query": "event.code: 1 and process.args:*Invoke-Mimikatz-DumpCreds* or process.args:*gsecdump* or process.args:*wce* or (process.args:*procdump* and process.args:*lsass*) or (process.args:*ntdsutil* and process.args:*ntds*ifm*create*)", + "risk_score": 50, + "rule_id": "66885745-ea38-432c-9edb-599b943948d4", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code: 1 and process.args:*Invoke-Mimikatz-DumpCreds* or process.args:*gsecdump* or process.args:*wce* or (process.args:*procdump* and process.args:*lsass*) or (process.args:*ntdsutil* and process.args:*ntds*ifm*create*)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_imageload.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_imageload.json index 5c9c72efb7aa7c..de3fc49fefa374 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_imageload.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_imageload.json @@ -1,17 +1,17 @@ { - "rule_id": "f872647c-d070-4b1c-afcc-055f081d9205", - "risk_score": 50, "description": "Windows Credential Dumping via ImageLoad", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Credential Dumping via ImageLoad", + "query": "event.code:7 and not process.name:Sysmon.exe and not process.name:Sysmon64.exe and not process.name:svchost.exe and not process.name:logonui.exe and (file.path:*samlib.dll* or file.path:*WinSCard.dll* or file.path:*cryptdll.dll* or file.path:*hid.dll* or file.path:*vaultcli.dll*)", + "risk_score": 50, + "rule_id": "f872647c-d070-4b1c-afcc-055f081d9205", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:7 and not process.name:Sysmon.exe and not process.name:Sysmon64.exe and not process.name:svchost.exe and not process.name:logonui.exe and (file.path:*samlib.dll* or file.path:*WinSCard.dll* or file.path:*cryptdll.dll* or file.path:*hid.dll* or file.path:*vaultcli.dll*)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_registry_save.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_registry_save.json index 38e23c5759162a..016f49e22a8f8f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_registry_save.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_registry_save.json @@ -1,17 +1,17 @@ { - "rule_id": "9f6fb56f-4bbd-404e-b955-49dfba7c0e68", - "risk_score": 50, "description": "Windows Credential Dumping via Registry Save", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Credential Dumping via Registry Save", + "query": "event.code: 1 and process.name:reg.exe and process.args:*save* and (process.args:*sam* or process.args:*system*)", + "risk_score": 50, + "rule_id": "9f6fb56f-4bbd-404e-b955-49dfba7c0e68", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code: 1 and process.name:reg.exe and process.args:*save* and (process.args:*sam* or process.args:*system*)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_data_compression_using_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_data_compression_using_powershell.json index 604c4148d30568..cf1334eda67781 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_data_compression_using_powershell.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_data_compression_using_powershell.json @@ -1,17 +1,17 @@ { - "rule_id": "bc913943-e1f9-4bf5-a593-caca7c2eb0c3", - "risk_score": 50, "description": "Windows Data Compression Using Powershell", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Data Compression Using Powershell", + "query": "event.code: 1 and process.name:powershell.exe and (process.args:*Recurse* and process.args:*Compress-Archive*)", + "risk_score": 50, + "rule_id": "bc913943-e1f9-4bf5-a593-caca7c2eb0c3", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code: 1 and process.name:powershell.exe and (process.args:*Recurse* and process.args:*Compress-Archive*)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_decoding_using_certutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_decoding_using_certutil.json index 7d6e6c7d539763..f718e5effe8ae1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_decoding_using_certutil.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_decoding_using_certutil.json @@ -1,17 +1,17 @@ { - "rule_id": "d9642bf2-87d0-45c2-8781-2bd2017cdbb8", - "risk_score": 50, "description": "Windows Defense Evasion - Decoding Using Certutil", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Defense Evasion - Decoding Using Certutil", + "query": "event.code:1 and process.name:attrib.exe and (process.args:*+h* or process.args:*+s*)", + "risk_score": 50, + "rule_id": "d9642bf2-87d0-45c2-8781-2bd2017cdbb8", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and process.name:attrib.exe and (process.args:*+h* or process.args:*+s*)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_or_persistence_via_hidden_files.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_or_persistence_via_hidden_files.json index f8f2b6a3fac2a7..844a3fc2ac9ec2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_or_persistence_via_hidden_files.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_or_persistence_via_hidden_files.json @@ -1,17 +1,17 @@ { - "rule_id": "340a0063-baba-447b-8396-26a5cc1eb684", - "risk_score": 50, "description": "Windows Defense Evasion or Persistence via Hidden Files", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Defense Evasion or Persistence via Hidden Files", + "query": "event.code:1 and process.name:attrib.exe and (process.args:\"+h\" or process.args:\"+s\")", + "risk_score": 50, + "rule_id": "340a0063-baba-447b-8396-26a5cc1eb684", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and process.name:attrib.exe and (process.args:*+h* or process.args:*+s*)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json index 362ed715a8ebfb..b98b0e3f8d0aa1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json @@ -1,17 +1,17 @@ { - "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", - "risk_score": 50, "description": "Windows Defense evasion via Filter Manager", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Defense evasion via Filter Manager", + "query": "event.code:1 and process.name:fltmc.exe", + "risk_score": 50, + "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and process.name:fltmc.exe", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_windows_event_log_tools.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_windows_event_log_tools.json index e58399c8c39d24..2d37fedd30480d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_windows_event_log_tools.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_windows_event_log_tools.json @@ -1,17 +1,17 @@ { - "rule_id": "07979a67-ab4d-460f-9ff3-bf1352de6762", - "risk_score": 50, "description": "Windows Defense Evasion via Windows Event Log Tools", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Defense Evasion via Windows Event Log Tools", + "query": "event.code:1 and process.name:wevtutil.exe", + "risk_score": 50, + "rule_id": "07979a67-ab4d-460f-9ff3-bf1352de6762", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and process.name:wevtutil.exe", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json index dac45ae03c237c..027556b7f24569 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json @@ -1,17 +1,17 @@ { - "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f", - "risk_score": 50, "description": "Windows Execution via Compiled HTML File", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Execution via Compiled HTML File", + "query": "event.code:1 and process.name:hh.exe", + "risk_score": 50, + "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and process.name:hh.exe", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_connection_manager.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_connection_manager.json index f97b1da2d5885e..30d2f4e3c89360 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_connection_manager.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_connection_manager.json @@ -1,17 +1,17 @@ { - "rule_id": "f2728299-167a-489c-913c-2e0955ac3c40", - "risk_score": 50, "description": "Windows Execution via Connection Manager", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Execution via Connection Manager", + "query": "event.code:1 and process.parent.name:pcalua.exe or (process.name:bash.exe or process.name:forfiles.exe or process.name:pcalua.exe)", + "risk_score": 50, + "rule_id": "f2728299-167a-489c-913c-2e0955ac3c40", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and process.parent.name:pcalua.exe or (process.name:bash.exe or process.name:forfiles.exe or process.name:pcalua.exe)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_microsoft_html_application_hta.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_microsoft_html_application_hta.json index 3a98dcc992e3db..aa67d2aebe64bb 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_microsoft_html_application_hta.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_microsoft_html_application_hta.json @@ -1,17 +1,17 @@ { - "rule_id": "b007cc82-c522-48d1-b7a7-53f63c50c494", - "risk_score": 50, "description": "Windows Execution via Microsoft HTML Application (HTA)", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Execution via Microsoft HTML Application (HTA)", + "query": "event.code:1 and (process.parent.args:*mshta* or process.args:*mshta*)", + "risk_score": 50, + "rule_id": "b007cc82-c522-48d1-b7a7-53f63c50c494", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and (process.parent.args:*mshta* or process.args:*mshta*)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json index be40d7616290fb..20e0eba610e957 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json @@ -1,17 +1,17 @@ { - "rule_id": "5c12412f-602c-4120-8c4f-69d723dbba04", - "risk_score": 50, "description": "Windows Execution via .NET COM Assemblies", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Execution via .NET COM Assemblies", + "query": "event.code:1 and (process.name:regasm.exe or process.name:regsvcs.exe)", + "risk_score": 50, + "rule_id": "5c12412f-602c-4120-8c4f-69d723dbba04", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and (process.name:regasm.exe or process.name:regsvcs.exe)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_regsvr32.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_regsvr32.json index c4351f70e385d0..9371ec67fcec5c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_regsvr32.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_regsvr32.json @@ -1,17 +1,17 @@ { - "rule_id": "b7333d08-be4b-4cb4-b81e-924ae37b3143", - "risk_score": 50, "description": "Windows Execution via Regsvr32", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Execution via Regsvr32", + "query": "event.code: 1 and scrobj.dll and (process.name:certutil.exe or process.name:regsvr32.exe or process.name:rundll32.exe)", + "risk_score": 50, + "rule_id": "b7333d08-be4b-4cb4-b81e-924ae37b3143", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code: 1 and scrobj.dll and (process.name:certutil.exe or process.name:regsvr32.exe or process.name:rundll32.exe)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json index cf0701685af277..3153c0d38d2fd6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json @@ -1,17 +1,17 @@ { - "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1", - "risk_score": 50, "description": "Windows Execution via Trusted Developer Utilities", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Execution via Trusted Developer Utilities", + "query": "event.code:1 and (process.name:MSBuild.exe or process.name:msxsl.exe)", + "risk_score": 50, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and (process.name:MSBuild.exe or process.name:msxsl.exe)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json index 6fa1d4eae74613..4e39ab96840dff 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8", - "risk_score": 50, "description": "Windows: HTML Help executable Program Connecting to the Internet", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows: HTML Help executable Program Connecting to the Internet", + "query": "process.name:hh.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:hh.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_image_load_from_a_temp_directory.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_image_load_from_a_temp_directory.json index 6e735cae12985c..d00f671c7b606f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_image_load_from_a_temp_directory.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_image_load_from_a_temp_directory.json @@ -1,29 +1,22 @@ { - "rule_id": "f23e4cc7-6825-4a28-b27a-e67437a9a806", - "risk_score": 50, "description": "Windows image load from a temp directory", - "immutable": true, - "interval": "5m", - "name": "Windows image load from a temp directory", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", - "query": "file.path:Temp", - "language": "kuery", + "enabled": false, "filters": [ { + "$state": { + "store": "appState" + }, "meta": { "alias": null, - "negate": false, - "type": "phrase", + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "key": "event.action", - "value": "Image loaded (rule: ImageLoad)", + "negate": false, "params": { "query": "Image loaded (rule: ImageLoad)" }, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" + "type": "phrase", + "value": "Image loaded (rule: ImageLoad)" }, "query": { "match": { @@ -32,12 +25,19 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } } ], - "enabled": false, + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Windows image load from a temp directory", + "query": "file.path:Temp", + "risk_score": 50, + "rule_id": "f23e4cc7-6825-4a28-b27a-e67437a9a806", + "severity": "low", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_indirect_command_execution.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_indirect_command_execution.json index bfcf40d403fbe5..cbde84a5fc8580 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_indirect_command_execution.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_indirect_command_execution.json @@ -1,17 +1,17 @@ { - "rule_id": "ff969842-c573-4e69-8e12-02fb303290f2", - "risk_score": 50, "description": "Windows Indirect Command Execution", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Indirect Command Execution", + "query": "event.code:1 and process.parent.name:pcalua.exe or (process.name:bash.exe or process.name:forfiles.exe or process.name:pcalua.exe)", + "risk_score": 50, + "rule_id": "ff969842-c573-4e69-8e12-02fb303290f2", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and process.parent.name:pcalua.exe or (process.name:bash.exe or process.name:forfiles.exe or process.name:pcalua.exe)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_iodine_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_iodine_activity.json index 7fb35a0176b442..e60c57ebc489a3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_iodine_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_iodine_activity.json @@ -1,17 +1,17 @@ { - "rule_id": "fcbbf0b2-99c5-4c7f-8411-dc9ee392e43f", - "risk_score": 50, "description": "Windows Iodine activity", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Iodine activity", + "query": "event.code: 1 and process.name:iodine.exe or process.name:iodined.exe", + "risk_score": 50, + "rule_id": "fcbbf0b2-99c5-4c7f-8411-dc9ee392e43f", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:iodine.exe or process.name:iodined.exe", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_management_instrumentation_wmi_execution.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_management_instrumentation_wmi_execution.json index b163dcc5c056e3..378b23825dc820 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_management_instrumentation_wmi_execution.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_management_instrumentation_wmi_execution.json @@ -1,17 +1,17 @@ { - "rule_id": "cec5eb81-6e01-40e5-a1bf-bf175cce4eb4", - "risk_score": 50, "description": "Windows Management Instrumentation (WMI) Execution", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Management Instrumentation (WMI) Execution", + "query": "event.code:1 and (process.parent.args:*wmiprvse.exe* or process.name:wmic.exe or process.args:*wmic* )", + "risk_score": 50, + "rule_id": "cec5eb81-6e01-40e5-a1bf-bf175cce4eb4", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and (process.parent.args:*wmiprvse.exe* or process.name:wmic.exe or process.args:*wmic* )", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_microsoft_html_application_hta_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_microsoft_html_application_hta_connecting_to_the_internet.json index 647dc53a0d05fd..8b5dffeec67af4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_microsoft_html_application_hta_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_microsoft_html_application_hta_connecting_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "b084514b-e8ba-4bc4-bc2b-50fe145a4215", - "risk_score": 50, "description": "Windows: Microsoft HTML Application (HTA) Connecting to the Internet", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows: Microsoft HTML Application (HTA) Connecting to the Internet", + "query": "process.name:mshta.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "b084514b-e8ba-4bc4-bc2b-50fe145a4215", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:mshta.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_mimikatz_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_mimikatz_activity.json index a6fa7f8942978a..1016d2c7af5f24 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_mimikatz_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_mimikatz_activity.json @@ -1,43 +1,16 @@ { - "rule_id": "5346463d-062f-419d-88ff-7a5e97875210", - "risk_score": 50, "description": "Windows Mimikatz activity", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Mimikatz activity", + "query": "event.code: 1 and process.name:mimikatz.exe", + "risk_score": 50, + "rule_id": "5346463d-062f-419d-88ff-7a5e97875210", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:mimikatz.exe", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "Process Create (rule: ProcessCreate)", - "params": { - "query": "Process Create (rule: ProcessCreate)" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "Process Create (rule: ProcessCreate)", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json index d2bf2985574015..e6d606384d4548 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44", - "risk_score": 50, "description": "Windows: Misc LOLBin Connecting to the Internet", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows: Misc LOLBin Connecting to the Internet", + "query": "(process.name:expand.exe or process.name:extrac.exe or process.name:ieexec.exe or process.name:makecab.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "(process.name:expand.exe or process.name:extrac.exe or process.name:ieexec.exe or process.name:makecab.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_activity_by_the_system_account.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_activity_by_the_system_account.json index cc5e4cec1d7bd8..f8689bb314857e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_activity_by_the_system_account.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_activity_by_the_system_account.json @@ -1,53 +1,16 @@ { - "rule_id": "c3f5dc81-a8b4-4144-95a7-d0a818d7355d", - "risk_score": 50, "description": "Windows net command activity by the SYSTEM account", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows net command activity by the SYSTEM account", + "query": "process.name: (net.exe or net1.exe) and user.name:SYSTEM", + "risk_score": 50, + "rule_id": "c3f5dc81-a8b4-4144-95a7-d0a818d7355d", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "user.name:SYSTEM", - "language": "kuery", - "filters": [ - { - "meta": { - "type": "phrases", - "key": "process.name", - "value": "net.exe, net1.exe", - "params": [ - "net.exe", - "net1.exe" - ], - "alias": null, - "negate": false, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "bool": { - "should": [ - { - "match_phrase": { - "process.name": "net.exe" - } - }, - { - "match_phrase": { - "process.name": "net1.exe" - } - } - ], - "minimum_should_match": 1 - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_user_command_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_user_command_activity.json index 182f6a0c0928c9..6b895f30fd5c4e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_user_command_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_user_command_activity.json @@ -1,43 +1,16 @@ { - "rule_id": "b039a69d-7fba-4c84-8029-57ac12548a15", - "risk_score": 50, "description": "Windows net user command activity", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows net user command activity", + "query": "process.name:net.exe and process.args:user and event.code:1", + "risk_score": 50, + "rule_id": "b039a69d-7fba-4c84-8029-57ac12548a15", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:net.exe and process.args:user", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "Process Create (rule: ProcessCreate)", - "params": { - "query": "Process Create (rule: ProcessCreate)" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "Process Create (rule: ProcessCreate)", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_activity.json index fef425b72281f2..8b105514ec798b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_activity.json @@ -1,43 +1,16 @@ { - "rule_id": "e2437364-0c89-4e65-a34b-782cfbb7690b", - "risk_score": 50, "description": "Windows Netcat activity", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Netcat activity", + "query": "process.name:ncat.exe and event.code:1", + "risk_score": 50, + "rule_id": "e2437364-0c89-4e65-a34b-782cfbb7690b", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:ncat.exe", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "Process Create (rule: ProcessCreate)", - "params": { - "query": "Process Create (rule: ProcessCreate)" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "Process Create (rule: ProcessCreate)", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_network_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_network_activity.json index 91b094785a9bb6..c16c91d9637e56 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_network_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_network_activity.json @@ -1,43 +1,16 @@ { - "rule_id": "ebdc4b6f-7fdb-4c21-bbd6-59e1ed11024a", - "risk_score": 50, "description": "Windows Netcat network activity", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Netcat network activity", + "query": "process.name:ncat.exe and event.action:\"Network connection detected (rule: NetworkConnect)\"", + "risk_score": 50, + "rule_id": "ebdc4b6f-7fdb-4c21-bbd6-59e1ed11024a", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:ncat.exe", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "connected-to", - "params": { - "query": "connected-to" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "connected-to", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_network_anomalous_windows_process_using_https_ports.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_network_anomalous_windows_process_using_https_ports.json index c59bc4dfa41356..a22b12d242414a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_network_anomalous_windows_process_using_https_ports.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_network_anomalous_windows_process_using_https_ports.json @@ -1,17 +1,17 @@ { - "rule_id": "b486fa9e-e6c7-44a1-b07d-7d5f07f21ce1", - "risk_score": 50, "description": "Windows Network - Anomalous Windows Process Using HTTP/S Ports", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Network - Anomalous Windows Process Using HTTP/S Ports", + "query": "(destination.port:443 or destination.port:80) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16 and not process.name:chrome.exe and not process.name:explorer.exe and not process.name:filebeat.exe and not process.name:firefox.exe and not process.name:iexplore.exe and not process.name:jusched.exe and not process.name:MpCmdRun.exe and not process.name:MpSigStub.exe and not process.name:msfeedssync.exe and not process.name:packetbeat.exe and not process.name:powershell.exe and not process.name:procexp64.exe and not process.name:svchost.exe and not process.name:taskhostw.exe and not process.name:winlogbeat.exe", + "risk_score": 50, + "rule_id": "b486fa9e-e6c7-44a1-b07d-7d5f07f21ce1", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "(destination.port:443 or destination.port:80) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16 and not process.name:chrome.exe and not process.name:explorer.exe and not process.name:filebeat.exe and not process.name:firefox.exe and not process.name:iexplore.exe and not process.name:jusched.exe and not process.name:MpCmdRun.exe and not process.name:MpSigStub.exe and not process.name:msfeedssync.exe and not process.name:packetbeat.exe and not process.name:powershell.exe and not process.name:procexp64.exe and not process.name:svchost.exe and not process.name:taskhostw.exe and not process.name:winlogbeat.exe", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_activity.json index 31409e087f8a5a..a0c3b5be64d1c3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_activity.json @@ -1,43 +1,16 @@ { - "rule_id": "5a4b2a98-31a6-4852-b224-d63aeb9e172d", - "risk_score": 50, "description": "Windows nmap activity", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows nmap activity", + "query": "process.name:nmap.exe and event.code:1", + "risk_score": 50, + "rule_id": "5a4b2a98-31a6-4852-b224-d63aeb9e172d", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:nmap.exe", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "Process Create (rule: ProcessCreate)", - "params": { - "query": "Process Create (rule: ProcessCreate)" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "Process Create (rule: ProcessCreate)", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_scan_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_scan_activity.json index 580cbe2abcb416..0195367b6f7125 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_scan_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_scan_activity.json @@ -1,43 +1,16 @@ { - "rule_id": "54413985-a3da-4f45-b238-75afb65a1bae", - "risk_score": 50, "description": "Windows nmap scan activity", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows nmap scan activity", + "query": "process.name:nmap.exe and event.action:\"Network connection detected (rule: NetworkConnect)\"", + "risk_score": 50, + "rule_id": "54413985-a3da-4f45-b238-75afb65a1bae", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:nmap.exe", - "language": "kuery", - "filters": [ - { - "meta": { - "alias": null, - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "Network connection detected (rule: NetworkConnect)", - "params": { - "query": "Network connection detected (rule: NetworkConnect)" - }, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "Network connection detected (rule: NetworkConnect)", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_payload_obfuscation_via_certutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_payload_obfuscation_via_certutil.json index 9c76c4273cafc1..421cadfa8a63d7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_payload_obfuscation_via_certutil.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_payload_obfuscation_via_certutil.json @@ -1,17 +1,17 @@ { - "rule_id": "ce7c270c-c69b-47dd-8c21-60a35e92f372", - "risk_score": 50, "description": "Windows Payload Obfuscation via Certutil", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Payload Obfuscation via Certutil", + "query": "event.code:1 and process.name:certutil.exe and (process.args:*encode* or process.args:*ToBase64String*)", + "risk_score": 50, + "rule_id": "ce7c270c-c69b-47dd-8c21-60a35e92f372", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and process.name:certutil.exe and (process.args:*encode* or process.args:*ToBase64String*)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_or_priv_escalation_via_hooking.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_or_priv_escalation_via_hooking.json index 98268e9f4ad661..47de4ba9ff6e74 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_or_priv_escalation_via_hooking.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_or_priv_escalation_via_hooking.json @@ -1,17 +1,17 @@ { - "rule_id": "015f070d-cf70-437c-99d1-472e31d36b03", - "risk_score": 50, "description": "Windows Persistence or Priv Escalation via Hooking", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Persistence or Priv Escalation via Hooking", + "query": "event.code:1 and process.name:mavinject.exe and processs.args:*INJECTRUNNING*", + "risk_score": 50, + "rule_id": "015f070d-cf70-437c-99d1-472e31d36b03", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and process.name:mavinject.exe and processs.args:*INJECTRUNNING*", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json index 4db53da43399b6..c6e558a3be2607 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json @@ -1,17 +1,17 @@ { - "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f", - "risk_score": 50, "description": "Windows Persistence via Application Shimming", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Persistence via Application Shimming", + "query": "event.code:1 and process.name:sdbinst.exe", + "risk_score": 50, + "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and process.name:sdbinst.exe", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_bits_jobs.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_bits_jobs.json index e2560badb7be61..b6d97628f98ec5 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_bits_jobs.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_bits_jobs.json @@ -1,17 +1,17 @@ { - "rule_id": "7904fb20-172c-43fb-83e4-bfe27e3c702c", - "risk_score": 50, "description": "Windows Persistence via BITS Jobs", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Persistence via BITS Jobs", + "query": "event.code:1 and (process.name:bitsadmin.exe or process.args:*Start-BitsTransfer*)", + "risk_score": 50, + "rule_id": "7904fb20-172c-43fb-83e4-bfe27e3c702c", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and (process.name:bitsadmin.exe or process.args:*Start-BitsTransfer*)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_modification_of_existing_service.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_modification_of_existing_service.json index 27300362fecf66..782ce7a6eec92b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_modification_of_existing_service.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_modification_of_existing_service.json @@ -1,17 +1,17 @@ { - "rule_id": "3bb04809-84ab-4487-bd99-ccc58675bd40", - "risk_score": 50, "description": "Windows Persistence via Modification of Existing Service", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Persistence via Modification of Existing Service", + "query": "event.code:1 and process.args:*sc*config*binpath* and (process.name:cmd.exe or process.name:powershell.exe or process.name:sc.exe)", + "risk_score": 50, + "rule_id": "3bb04809-84ab-4487-bd99-ccc58675bd40", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and process.args:*sc*config*binpath* and (process.name:cmd.exe or process.name:powershell.exe or process.name:sc.exe)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_netshell_helper_dll.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_netshell_helper_dll.json index c0bd446f968c8d..19e6ac51158eb3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_netshell_helper_dll.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_netshell_helper_dll.json @@ -1,17 +1,17 @@ { - "rule_id": "d7c2561d-2758-46ad-b5a9-247efb9eea21", - "risk_score": 50, "description": "Windows Persistence via Netshell Helper DLL", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Persistence via Netshell Helper DLL", + "query": "event.code:1 and process.name:netsh.exe and process.args:*helper*", + "risk_score": 50, + "rule_id": "d7c2561d-2758-46ad-b5a9-247efb9eea21", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and process.name:netsh.exe and process.args:*helper*", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_powershell_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_powershell_connecting_to_the_internet.json index dc3fed37a8c53d..50e3d6e0f38747 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_powershell_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_powershell_connecting_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "a8cfa646-e4d8-48b5-884e-6204ba77fc8d", - "risk_score": 50, "description": "Windows: Powershell Connecting to the Internet", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows: Powershell Connecting to the Internet", + "query": "process.name:powershell.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:169.254.169.254/32 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "a8cfa646-e4d8-48b5-884e-6204ba77fc8d", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:powershell.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:169.254.169.254/32 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json index afeb03150dfcf1..96faa2a88e3a63 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json @@ -1,17 +1,17 @@ { - "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", - "risk_score": 50, "description": "Windows Priv Escalation via Accessibility Features", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Priv Escalation via Accessibility Features", + "query": "event.code:1 and process.parent.name:winlogon.exe and (process.name:atbroker.exe or process.name:displayswitch.exe or process.name:magnify.exe or process.name:narrator.exe or process.name:osk.exe or process.name:sethc.exe or process.name:utilman.exe)", + "risk_score": 50, + "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and process.parent.name:winlogon.exe and (process.name:atbroker.exe or process.name:displayswitch.exe or process.name:magnify.exe or process.name:narrator.exe or process.name:osk.exe or process.name:sethc.exe or process.name:utilman.exe)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json index 488943dea29498..572a9ede23e2af 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json @@ -1,17 +1,17 @@ { - "rule_id": "cc16f774-59f9-462d-8b98-d27ccd4519ec", - "risk_score": 50, "description": "Windows Process Discovery via Tasklist Command", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Process Discovery via Tasklist Command", + "query": "event.code:1 and process.name:tasklist.exe", + "risk_score": 50, + "rule_id": "cc16f774-59f9-462d-8b98-d27ccd4519ec", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and process.name:tasklist.exe", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_execution_via_wmi.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_execution_via_wmi.json new file mode 100644 index 00000000000000..9e29c82e48872e --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_execution_via_wmi.json @@ -0,0 +1,17 @@ +{ + "description": "Process Execution via WMI", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Process Execution via WMI", + "query": "process.name:scrcons.exe", + "risk_score": 50, + "rule_id": "7e6cd4b9-6346-4683-b3e6-6a3e66f3208f", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_acrobat_reader_possible_payload.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_acrobat_reader_possible_payload.json new file mode 100644 index 00000000000000..e96c223765cbdb --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_acrobat_reader_possible_payload.json @@ -0,0 +1,16 @@ +{ + "description": "Process started by Acrobat reader - possible payload", + "enabled": false, + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Process started by Acrobat reader - possible payload", + "query": "process.parent.name:AcroRd32.exe and event.code:1", + "risk_score": 50, + "rule_id": "b6422896-b6e3-45c3-9d9e-4eccb2a25270", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_ms_office_program_possible_payload.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_ms_office_program_possible_payload.json new file mode 100644 index 00000000000000..c2e185cd0c7ebf --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_ms_office_program_possible_payload.json @@ -0,0 +1,16 @@ +{ + "description": "Process started by MS Office program - possible payload", + "enabled": false, + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Process started by MS Office program - possible payload", + "query": "process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE and event.code:1", + "risk_score": 50, + "rule_id": "838dcec6-ce9a-4cdd-9ca8-f6512cf6d559", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_the_java_runtime.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_the_java_runtime.json index ea246b02643708..6902807cb51d11 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_the_java_runtime.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_the_java_runtime.json @@ -1,43 +1,16 @@ { - "rule_id": "159168a1-b1d0-4e5c-ad72-c1e9ae2edec2", - "risk_score": 50, "description": "Windows process started by the Java runtime", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows process started by the Java runtime", + "query": "process.parent.name:javaw.exe and event.code:1", + "risk_score": 50, + "rule_id": "159168a1-b1d0-4e5c-ad72-c1e9ae2edec2", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.parent.name:javaw.exe", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "Process Create (rule: ProcessCreate)", - "params": { - "query": "Process Create (rule: ProcessCreate)" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "Process Create (rule: ProcessCreate)", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_psexec_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_psexec_activity.json new file mode 100644 index 00000000000000..280f061ed7785e --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_psexec_activity.json @@ -0,0 +1,17 @@ +{ + "description": "PSexec activity", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "PSexec activity", + "query": "process.name:PsExec.exe or process.name:PsExec64.exe", + "risk_score": 50, + "rule_id": "3e61ab8b-0f39-4d2e-ab64-332f0d0b3ad7", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json index cce8effd5d536f..563553a24a3e7b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa", - "risk_score": 50, "description": "Windows: Register Server Program Connecting to the Internet", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows: Register Server Program Connecting to the Internet", + "query": "(process.name:regsvr32.exe or process.name:regsvr64.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:169.254.169.254/32 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "(process.name:regsvr32.exe or process.name:regsvr64.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:169.254.169.254/32 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_local.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_local.json index af9935275267bc..d9bc00cfbd3367 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_local.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_local.json @@ -1,17 +1,17 @@ { - "rule_id": "b9074c74-6d23-4b07-927e-cc18b318a088", - "risk_score": 50, "description": "Windows Registry Query, Local", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Registry Query, Local", + "query": "event.code: 1 and process.name:reg.exe and process.args:*query* and process.args:*reg*", + "risk_score": 50, + "rule_id": "b9074c74-6d23-4b07-927e-cc18b318a088", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code: 1 and process.name:reg.exe and process.args:*query* and process.args:*reg*", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_network.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_network.json index 4926aabcb8f9d9..ddf8ff569e35f7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_network.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_network.json @@ -1,17 +1,17 @@ { - "rule_id": "f5412e37-981e-4d37-a1b2-eddaf797445a", - "risk_score": 50, "description": "Windows Registry Query, Network", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Registry Query, Network", + "query": "event.code: 1 and process.name:reg.exe and process.args:*query* and process.args:*reg*", + "risk_score": 50, + "rule_id": "f5412e37-981e-4d37-a1b2-eddaf797445a", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code: 1 and process.name:reg.exe and process.args:*query* and process.args:*reg*", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_remote_management_execution.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_remote_management_execution.json index d0765ee531bb3b..0e67b777ac6dc5 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_remote_management_execution.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_remote_management_execution.json @@ -1,17 +1,17 @@ { - "rule_id": "ced66221-3e07-40ee-8588-5f107e7d50d8", - "risk_score": 50, "description": "Windows Remote Management Execution", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Remote Management Execution", + "query": "(process.name:wsmprovhost.exe or process.name:winrm.cmd) and (process.args:*Enable-PSRemoting -Force* or process.args:*Invoke-Command -computer_name* or process.args:*wmic*node*process call create*)", + "risk_score": 50, + "rule_id": "ced66221-3e07-40ee-8588-5f107e7d50d8", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "(process.name:wsmprovhost.exe or process.name:winrm.cmd) and (process.args:*Enable-PSRemoting -Force* or process.args:*Invoke-Command -computer_name* or process.args:*wmic*node*process call create*)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_scheduled_task_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_scheduled_task_activity.json index e84d6912793bd1..58fd2df8f15ef1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_scheduled_task_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_scheduled_task_activity.json @@ -1,17 +1,17 @@ { - "rule_id": "a1abd54d-3021-4f21-b2d1-0c6bc5c4051f", - "risk_score": 50, "description": "Windows Scheduled Task Activity", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Scheduled Task Activity", + "query": "event.code:1 and (process.name:schtasks.exe or process.name:taskeng.exe) or (event.code:1 and process.name:svchost.exe and not process.parent.executable: \"C:\\Windows\\System32\\services.exe\" )", + "risk_score": 50, + "rule_id": "a1abd54d-3021-4f21-b2d1-0c6bc5c4051f", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and (process.name:schtasks.exe or process.name:taskeng.exe) or (event.code:1 and process.name:svchost.exe and not process.parent.executable: \"C:\\Windows\\System32\\services.exe\" )", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_script_interpreter_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_script_interpreter_connecting_to_the_internet.json index 373d5aa86e6a63..41559425538ab2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_script_interpreter_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_script_interpreter_connecting_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "2cc4597c-b0c9-4481-b1a6-e6c05cfc9f02", - "risk_score": 50, "description": "Windows: Script Interpreter Connecting to the Internet", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows: Script Interpreter Connecting to the Internet", + "query": "(process.name:cscript.exe or process.name:wscript.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "2cc4597c-b0c9-4481-b1a6-e6c05cfc9f02", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "(process.name:cscript.exe or process.name:wscript.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution.json index a05d37126be3e2..64185c784e0282 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution.json @@ -1,17 +1,17 @@ { - "rule_id": "7edb573f-1f9b-4161-8c19-c7c383bb17f2", - "risk_score": 50, "description": "Windows Signed Binary Proxy Execution", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Signed Binary Proxy Execution", + "query": "event.code:1 and http and (process.name:certutil.exe or process.name:msiexec.exe)", + "risk_score": 50, + "rule_id": "7edb573f-1f9b-4161-8c19-c7c383bb17f2", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and http and (process.name:certutil.exe or process.name:msiexec.exe)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution_download.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution_download.json index 931a1f170e5bd1..b1146f07612f67 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution_download.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution_download.json @@ -1,17 +1,17 @@ { - "rule_id": "68ecc190-cce2-4021-b976-c7c846ac0a00", - "risk_score": 50, "description": "Windows Signed Binary Proxy Execution Download", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Signed Binary Proxy Execution Download", + "query": " event.code:3 and http and (process.name:certutil.exe or process.name:replace.exe)", + "risk_score": 50, + "rule_id": "68ecc190-cce2-4021-b976-c7c846ac0a00", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " event.code:3 and http and (process.name:certutil.exe or process.name:replace.exe)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_process_started_by_a_script.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_process_started_by_a_script.json new file mode 100644 index 00000000000000..c5a7db434ac386 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_process_started_by_a_script.json @@ -0,0 +1,16 @@ +{ + "description": "Suspicious process started by a script", + "enabled": false, + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suspicious process started by a script", + "query": "(process.parent.name:cmd.exe or process.parent.name:cscript.exe or process.parent.name:mshta.exe or process.parent.name:powershell.exe or process.parent.name:rundll32.exe or process.parent.name:wscript.exe or process.parent.name:wmiprvse.exe) and (process.name:bitsadmin.exe or process.name:certutil.exe or mshta.exe or process.name:nslookup.exe or process.name:schtasks.exe) and event.code:1", + "risk_score": 50, + "rule_id": "89db767d-99f9-479f-8052-9205fd3090c4", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json index e4acdcee249bf2..b13a20518893cf 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json @@ -1,43 +1,16 @@ { - "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2", - "risk_score": 50, "description": "Windows whoami command activity", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows whoami command activity", + "query": "process.name:whoami.exe and event.code:1", + "risk_score": 50, + "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:whoami.exe", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "Process Create (rule: ProcessCreate)", - "params": { - "query": "Process Create (rule: ProcessCreate)" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "Process Create (rule: ProcessCreate)", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_windump_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_windump_activity.json new file mode 100644 index 00000000000000..8fc548b694b02b --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_windump_activity.json @@ -0,0 +1,17 @@ +{ + "description": "WinDump activity", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "WinDump activity", + "query": "process.name:WinDump.exe", + "risk_score": 50, + "rule_id": "a342cfcb-8420-46a4-8d85-53edc631e0d6", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_wireshark_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_wireshark_activity.json index 75dfa58e33318f..30ee18fe53557b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_wireshark_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_wireshark_activity.json @@ -1,17 +1,17 @@ { - "rule_id": "9af965ed-d501-4541-97f6-5f8d2a39737b", - "risk_score": 50, "description": "Windows Wireshark activity", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Wireshark activity", + "query": "process.name:wireshark.exe", + "risk_score": 50, + "rule_id": "9af965ed-d501-4541-97f6-5f8d2a39737b", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:wireshark.exe", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windump_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windump_activity.json index db42e194fcf9f7..7b40fc208ecd57 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windump_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windump_activity.json @@ -1,17 +1,17 @@ { - "rule_id": "61c56cf4-0c08-4ad5-83ea-d2fe6ac62fa8", - "risk_score": 50, "description": "WinDump activity", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "WinDump activity", + "query": "process.name:WinDump.exe", + "risk_score": 50, + "rule_id": "61c56cf4-0c08-4ad5-83ea-d2fe6ac62fa8", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:WinDump.exe", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_capturelosstoo_much_loss.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_capturelosstoo_much_loss.json index 32d722ce42bab6..87549a455c1d3e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_capturelosstoo_much_loss.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_capturelosstoo_much_loss.json @@ -1,17 +1,17 @@ { - "rule_id": "c115a407-799b-45d6-962e-a639bb764c06", - "risk_score": 50, "description": "Detected Zeek capture loss exceeds the percentage threshold", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice CaptureLoss::Too_Much_Loss", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"CaptureLoss::Too_Much_Loss\" or rule.name: \"CaptureLoss::Too_Much_Loss\")", + "risk_score": 50, + "rule_id": "c115a407-799b-45d6-962e-a639bb764c06", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"CaptureLoss::Too_Much_Loss\" or rule.name: \"CaptureLoss::Too_Much_Loss\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_conncontent_gap.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_conncontent_gap.json index a707c4647b1ea8..69a82f9840a931 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_conncontent_gap.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_conncontent_gap.json @@ -1,17 +1,17 @@ { - "rule_id": "22d12b64-33f4-40ce-ad57-49dd870bc8e5", - "risk_score": 50, "description": "Data has sequence hole; perhaps due to filtering.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice Conn::Content_Gap", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Conn::Content_Gap\" or rule.name: \"Conn::Content_Gap\")", + "risk_score": 50, + "rule_id": "22d12b64-33f4-40ce-ad57-49dd870bc8e5", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Conn::Content_Gap\" or rule.name: \"Conn::Content_Gap\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_connretransmission_inconsistency.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_connretransmission_inconsistency.json index 06f413ce93787e..c5ba4eb8082aaf 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_connretransmission_inconsistency.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_connretransmission_inconsistency.json @@ -1,17 +1,17 @@ { - "rule_id": "53719624-55f0-4541-8370-f27f6766fb9e", - "risk_score": 50, "description": "Possible evasion; usually just chud.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice Conn::Retransmission_Inconsistency", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Conn::Retransmission_Inconsistency\" or rule.name: \"Conn::Retransmission_Inconsistency\")", + "risk_score": 50, + "rule_id": "53719624-55f0-4541-8370-f27f6766fb9e", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Conn::Retransmission_Inconsistency\" or rule.name: \"Conn::Retransmission_Inconsistency\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_dnsexternal_name.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_dnsexternal_name.json index a664b1314fb36a..cb5db1529aa0ec 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_dnsexternal_name.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_dnsexternal_name.json @@ -1,17 +1,17 @@ { - "rule_id": "39c40c5a-110c-45b1-876f-969212e8814b", - "risk_score": 50, "description": "Raised when a non-local name is found to be pointing at a local host.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice DNS::External_Name", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"DNS::External_Name\" or rule.name: \"DNS::External_Name\")", + "risk_score": 50, + "rule_id": "39c40c5a-110c-45b1-876f-969212e8814b", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"DNS::External_Name\" or rule.name: \"DNS::External_Name\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_ftpbruteforcing.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_ftpbruteforcing.json index 73c78ee4354e23..43bc1f05a2212f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_ftpbruteforcing.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_ftpbruteforcing.json @@ -1,17 +1,17 @@ { - "rule_id": "7e069475-817e-4e89-9245-1dfaa3083b11", - "risk_score": 50, "description": "Indicates a host bruteforcing FTP logins by watching for too many rejected usernames or failed passwords.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice FTP::Bruteforcing", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"FTP::Bruteforcing\" or rule.name: \"FTP::Bruteforcing\")", + "risk_score": 50, + "rule_id": "7e069475-817e-4e89-9245-1dfaa3083b11", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"FTP::Bruteforcing\" or rule.name: \"FTP::Bruteforcing\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_ftpsite_exec_success.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_ftpsite_exec_success.json index 69e2087c8800e5..63b8b847563b57 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_ftpsite_exec_success.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_ftpsite_exec_success.json @@ -1,17 +1,17 @@ { - "rule_id": "4b9cb3e9-e26a-4bd2-bd1f-8d451b49838f", - "risk_score": 50, "description": "Indicates that a successful response to a “SITE EXEC” command/arg pair was seen.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice FTP::Site_Exec_Success", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"FTP::Site_Exec_Success\" or rule.name: \"FTP::Site_Exec_Success\")", + "risk_score": 50, + "rule_id": "4b9cb3e9-e26a-4bd2-bd1f-8d451b49838f", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"FTP::Site_Exec_Success\" or rule.name: \"FTP::Site_Exec_Success\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_attack.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_attack.json index b14eabc3352b0e..adc8878f6986aa 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_attack.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_attack.json @@ -1,17 +1,17 @@ { - "rule_id": "68a33102-3680-4581-a48a-210b23925905", - "risk_score": 50, "description": "Indicates that a host performed a heartbleed attack or scan.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice Heartbleed::SSL_Heartbeat_Attack", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Heartbleed::SSL_Heartbeat_Attack\" or rule.name: \"Heartbleed::SSL_Heartbeat_Attack\")", + "risk_score": 50, + "rule_id": "68a33102-3680-4581-a48a-210b23925905", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Heartbleed::SSL_Heartbeat_Attack\" or rule.name: \"Heartbleed::SSL_Heartbeat_Attack\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_attack_success.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_attack_success.json index 160f2728cdd507..3f03e5483cc315 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_attack_success.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_attack_success.json @@ -1,17 +1,17 @@ { - "rule_id": "241a61ae-b385-4f36-96c4-b2fb5446cc43", - "risk_score": 50, "description": "Indicates that a host performing a heartbleed attack was probably successful.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice Heartbleed::SSL_Heartbeat_Attack_Success", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Heartbleed::SSL_Heartbeat_Attack_Success\" or rule.name: \"Heartbleed::SSL_Heartbeat_Attack_Success\")", + "risk_score": 50, + "rule_id": "241a61ae-b385-4f36-96c4-b2fb5446cc43", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Heartbleed::SSL_Heartbeat_Attack_Success\" or rule.name: \"Heartbleed::SSL_Heartbeat_Attack_Success\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_many_requests.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_many_requests.json index cfee3959893766..2902c4a4b8e5fe 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_many_requests.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_many_requests.json @@ -1,17 +1,17 @@ { - "rule_id": "59d6a32c-753e-4c19-bb77-1befdc6e0e6a", - "risk_score": 50, "description": "Indicates we saw many heartbeat requests without a reply. Might be an attack.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice Heartbleed::SSL_Heartbeat_Many_Requests", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Heartbleed::SSL_Heartbeat_Many_Requests\" or rule.name: \"Heartbleed::SSL_Heartbeat_Many_Requests\")", + "risk_score": 50, + "rule_id": "59d6a32c-753e-4c19-bb77-1befdc6e0e6a", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Heartbleed::SSL_Heartbeat_Many_Requests\" or rule.name: \"Heartbleed::SSL_Heartbeat_Many_Requests\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_odd_length.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_odd_length.json index a6456e63a3ec00..871999b842609a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_odd_length.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_odd_length.json @@ -1,17 +1,17 @@ { - "rule_id": "0c6e7be4-6cab-4ee1-ad51-7c1ffd0e9002", - "risk_score": 50, "description": "Indicates we saw heartbeat requests with odd length. Probably an attack or scan.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice Heartbleed::SSL_Heartbeat_Odd_Length", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Heartbleed::SSL_Heartbeat_Odd_Length\" or rule.name: \"Heartbleed::SSL_Heartbeat_Odd_Length\")", + "risk_score": 50, + "rule_id": "0c6e7be4-6cab-4ee1-ad51-7c1ffd0e9002", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Heartbleed::SSL_Heartbeat_Odd_Length\" or rule.name: \"Heartbleed::SSL_Heartbeat_Odd_Length\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_httpsql_injection_attacker.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_httpsql_injection_attacker.json index 517a03834d57e2..fe6bcb8a881003 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_httpsql_injection_attacker.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_httpsql_injection_attacker.json @@ -1,17 +1,17 @@ { - "rule_id": "4ca9ef93-7e7e-40a4-8d71-9130204d86e6", - "risk_score": 50, "description": "Indicates that a host performing SQL injection attacks was detected.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice HTTP::SQL_Injection_Attacker", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"HTTP::SQL_Injection_Attacker\" or rule.name: \"HTTP::SQL_Injection_Attacker\")", + "risk_score": 50, + "rule_id": "4ca9ef93-7e7e-40a4-8d71-9130204d86e6", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"HTTP::SQL_Injection_Attacker\" or rule.name: \"HTTP::SQL_Injection_Attacker\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_httpsql_injection_victim.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_httpsql_injection_victim.json index b00e49c89e402c..ed1f5bbaa13b2a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_httpsql_injection_victim.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_httpsql_injection_victim.json @@ -1,17 +1,17 @@ { - "rule_id": "dda43d7f-69bc-487f-b05c-2b518e9db622", - "risk_score": 50, "description": "Indicates that a host was seen to have SQL injection attacks against it. This is tracked by IP address as opposed to hostname.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice HTTP::SQL_Injection_Victim", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"HTTP::SQL_Injection_Victim\" or rule.name: \"HTTP::SQL_Injection_Victim\")", + "risk_score": 50, + "rule_id": "dda43d7f-69bc-487f-b05c-2b518e9db622", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"HTTP::SQL_Injection_Victim\" or rule.name: \"HTTP::SQL_Injection_Victim\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_intelnotice.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_intelnotice.json index 27cfe2036744ec..615f3b48276567 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_intelnotice.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_intelnotice.json @@ -1,17 +1,17 @@ { - "rule_id": "122e153a-78f3-4e7e-a5b5-cfe0b917f109", - "risk_score": 50, "description": "This notice is generated when an intelligence indicator is denoted to be notice-worthy.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice Intel::Notice", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Intel::Notice\" or rule.name: \"Intel::Notice\")", + "risk_score": 50, + "rule_id": "122e153a-78f3-4e7e-a5b5-cfe0b917f109", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Intel::Notice\" or rule.name: \"Intel::Notice\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_noticetally.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_noticetally.json index 16e22585d6e13f..cbe9fd654c4f80 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_noticetally.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_noticetally.json @@ -1,17 +1,17 @@ { - "rule_id": "7581fd81-25e8-489e-bcf3-69db068b7a6c", - "risk_score": 50, "description": "Zeek notice reporting a count of how often a notice occurred.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice Notice::Tally", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Notice::Tally\" or rule.name: \"Notice::Tally\")", + "risk_score": 50, + "rule_id": "7581fd81-25e8-489e-bcf3-69db068b7a6c", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Notice::Tally\" or rule.name: \"Notice::Tally\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfiltercannot_bpf_shunt_conn.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfiltercannot_bpf_shunt_conn.json index 3e8704dee917a8..2d35d42eb07a1d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfiltercannot_bpf_shunt_conn.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfiltercannot_bpf_shunt_conn.json @@ -1,17 +1,17 @@ { - "rule_id": "0031d83e-1fb4-4dd6-b938-97ae7044b051", - "risk_score": 50, "description": "Limitations in BPF make shunting some connections with BPF impossible. This notice encompasses those various cases.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice PacketFilter::Cannot_BPF_Shunt_Conn", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::Cannot_BPF_Shunt_Conn\" or rule.name: \"PacketFilter::Cannot_BPF_Shunt_Conn\")", + "risk_score": 50, + "rule_id": "0031d83e-1fb4-4dd6-b938-97ae7044b051", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::Cannot_BPF_Shunt_Conn\" or rule.name: \"PacketFilter::Cannot_BPF_Shunt_Conn\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfiltercompile_failure.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfiltercompile_failure.json index 63567a6ebbd90d..4013b77fe6e4ce 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfiltercompile_failure.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfiltercompile_failure.json @@ -1,17 +1,17 @@ { - "rule_id": "335b2ddc-f806-46e8-8ffa-114d613aac92", - "risk_score": 50, "description": "This notice is generated if a packet filter cannot be compiled.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice PacketFilter::Compile_Failure", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::Compile_Failure\" or rule.name: \"PacketFilter::Compile_Failure\")", + "risk_score": 50, + "rule_id": "335b2ddc-f806-46e8-8ffa-114d613aac92", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::Compile_Failure\" or rule.name: \"PacketFilter::Compile_Failure\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfilterdropped_packets.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfilterdropped_packets.json index 78b664f573b6bb..21229e4055f480 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfilterdropped_packets.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfilterdropped_packets.json @@ -1,17 +1,17 @@ { - "rule_id": "4f212278-329b-4088-ae59-9091003dff22", - "risk_score": 50, "description": "Indicates packets were dropped by the packet filter.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice PacketFilter::Dropped_Packets", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::Dropped_Packets\" or rule.name: \"PacketFilter::Dropped_Packets\")", + "risk_score": 50, + "rule_id": "4f212278-329b-4088-ae59-9091003dff22", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::Dropped_Packets\" or rule.name: \"PacketFilter::Dropped_Packets\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfilterinstall_failure.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfilterinstall_failure.json index 7fec89f251e80f..6f6ff30f99b570 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfilterinstall_failure.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfilterinstall_failure.json @@ -1,17 +1,17 @@ { - "rule_id": "235988ec-d037-4f5f-a211-74106512b36d", - "risk_score": 50, "description": "Generated if a packet filter fails to install.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice PacketFilter::Install_Failure", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::Install_Failure\" or rule.name: \"PacketFilter::Install_Failure\")", + "risk_score": 50, + "rule_id": "235988ec-d037-4f5f-a211-74106512b36d", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::Install_Failure\" or rule.name: \"PacketFilter::Install_Failure\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfilterno_more_conn_shunts_available.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfilterno_more_conn_shunts_available.json index 176c4373e8e961..0785959078bb71 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfilterno_more_conn_shunts_available.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfilterno_more_conn_shunts_available.json @@ -1,17 +1,17 @@ { - "rule_id": "de4016de-3374-41a0-a678-21d36c70af9a", - "risk_score": 50, "description": "Indicative that PacketFilter::max_bpf_shunts connections are already being shunted with BPF filters and no more are allowed.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice PacketFilter::No_More_Conn_Shunts_Available", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::No_More_Conn_Shunts_Available\" or rule.name: \"PacketFilter::No_More_Conn_Shunts_Available\")", + "risk_score": 50, + "rule_id": "de4016de-3374-41a0-a678-21d36c70af9a", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::No_More_Conn_Shunts_Available\" or rule.name: \"PacketFilter::No_More_Conn_Shunts_Available\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfiltertoo_long_to_compile_filter.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfiltertoo_long_to_compile_filter.json index 6077e494779e39..e8dbcaaeec43e0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfiltertoo_long_to_compile_filter.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfiltertoo_long_to_compile_filter.json @@ -1,17 +1,17 @@ { - "rule_id": "71e93c42-7990-4233-a8a5-2631193df7db", - "risk_score": 50, "description": "Generated when a notice takes too long to compile.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice PacketFilter::Too_Long_To_Compile_Filter", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::Too_Long_To_Compile_Filter\" or rule.name: \"PacketFilter::Too_Long_To_Compile_Filter\")", + "risk_score": 50, + "rule_id": "71e93c42-7990-4233-a8a5-2631193df7db", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::Too_Long_To_Compile_Filter\" or rule.name: \"PacketFilter::Too_Long_To_Compile_Filter\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_protocoldetectorprotocol_found.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_protocoldetectorprotocol_found.json index 2375fce0cf2b10..0caf01e3823c9b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_protocoldetectorprotocol_found.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_protocoldetectorprotocol_found.json @@ -1,17 +1,17 @@ { - "rule_id": "777586b6-4757-489e-a6e8-676b7df70b39", - "risk_score": 50, "description": "Indicates a protocol was detected on a non-standard port.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice ProtocolDetector::Protocol_Found", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"ProtocolDetector::Protocol_Found\" or rule.name: \"ProtocolDetector::Protocol_Found\")", + "risk_score": 50, + "rule_id": "777586b6-4757-489e-a6e8-676b7df70b39", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"ProtocolDetector::Protocol_Found\" or rule.name: \"ProtocolDetector::Protocol_Found\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_protocoldetectorserver_found.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_protocoldetectorserver_found.json index 6fd75bd7591219..196c9dc7241c8c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_protocoldetectorserver_found.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_protocoldetectorserver_found.json @@ -1,17 +1,17 @@ { - "rule_id": "7d7f7635-6900-4f63-b14b-477a909ea90a", - "risk_score": 50, "description": "Indicates a server was detected on a non-standard port for the protocol.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice ProtocolDetector::Server_Found", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"ProtocolDetector::Server_Found\" or rule.name: \"ProtocolDetector::Server_Found\")", + "risk_score": 50, + "rule_id": "7d7f7635-6900-4f63-b14b-477a909ea90a", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"ProtocolDetector::Server_Found\" or rule.name: \"ProtocolDetector::Server_Found\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_scanaddress_scan.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_scanaddress_scan.json index fe0508f08ab1dd..34c8a126e424c0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_scanaddress_scan.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_scanaddress_scan.json @@ -1,17 +1,17 @@ { - "rule_id": "9d320fca-4ec1-4511-bdbc-7edf9673c07d", - "risk_score": 50, "description": "Address scans detect that a host appears to be scanning some number of destinations on a single port.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice Scan::Address_Scan", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Scan::Address_Scan\" or rule.name: \"Scan::Address_Scan\")", + "risk_score": 50, + "rule_id": "9d320fca-4ec1-4511-bdbc-7edf9673c07d", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Scan::Address_Scan\" or rule.name: \"Scan::Address_Scan\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_scanport_scan.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_scanport_scan.json index 007e5fd94ae5fc..1334f2c08ad09f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_scanport_scan.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_scanport_scan.json @@ -1,17 +1,17 @@ { - "rule_id": "d09fbf7a-47a7-4130-8dd7-b386cca81a42", - "risk_score": 50, "description": "Port scans detect that an attacking host appears to be scanning a single victim host on several ports.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice Scan::Port_Scan", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Scan::Port_Scan\" or rule.name: \"Scan::Port_Scan\")", + "risk_score": 50, + "rule_id": "d09fbf7a-47a7-4130-8dd7-b386cca81a42", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Scan::Port_Scan\" or rule.name: \"Scan::Port_Scan\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturescount_signature.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturescount_signature.json index f5b708dce484f3..1dc25388dc688f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturescount_signature.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturescount_signature.json @@ -1,17 +1,17 @@ { - "rule_id": "a704589c-8ba9-4a3c-8e39-ab9360cade17", - "risk_score": 50, "description": "The same signature has triggered multiple times for a host.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice Signatures::Count_Signature", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Signatures::Count_Signature\" or rule.name: \"Signatures::Count_Signature\")", + "risk_score": 50, + "rule_id": "a704589c-8ba9-4a3c-8e39-ab9360cade17", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Signatures::Count_Signature\" or rule.name: \"Signatures::Count_Signature\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturesmultiple_sig_responders.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturesmultiple_sig_responders.json index 8e8b9ae8793ae9..06cf39c1c3dbdd 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturesmultiple_sig_responders.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturesmultiple_sig_responders.json @@ -1,17 +1,17 @@ { - "rule_id": "4f313ae8-cbc6-4082-9599-526f8ccb7303", - "risk_score": 50, "description": "Host has triggered the same signature on multiple hosts.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice Signatures::Multiple_Sig_Responders", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Signatures::Multiple_Sig_Responders\" or rule.name: \"Signatures::Multiple_Sig_Responders\")", + "risk_score": 50, + "rule_id": "4f313ae8-cbc6-4082-9599-526f8ccb7303", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Signatures::Multiple_Sig_Responders\" or rule.name: \"Signatures::Multiple_Sig_Responders\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturesmultiple_signatures.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturesmultiple_signatures.json index 0d24f030472c61..350e6dfc30e187 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturesmultiple_signatures.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturesmultiple_signatures.json @@ -1,17 +1,17 @@ { - "rule_id": "ab90d81c-79e1-4f62-a61e-484c4bedb2b0", - "risk_score": 50, "description": "Host has triggered many signatures on the same host.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice Signatures::Multiple_Signatures", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Signatures::Multiple_Signatures\" or rule.name: \"Signatures::Multiple_Signatures\")", + "risk_score": 50, + "rule_id": "ab90d81c-79e1-4f62-a61e-484c4bedb2b0", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Signatures::Multiple_Signatures\" or rule.name: \"Signatures::Multiple_Signatures\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturessensitive_signature.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturessensitive_signature.json index 545c6536904937..c1438edf2e4acf 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturessensitive_signature.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturessensitive_signature.json @@ -1,17 +1,17 @@ { - "rule_id": "ac394dec-67e8-417f-bb06-ae0bd75556b0", - "risk_score": 50, "description": "Generic notice type for notice-worthy signature matches.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice Signatures::Sensitive_Signature", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Signatures::Sensitive_Signature\" or rule.name: \"Signatures::Sensitive_Signature\")", + "risk_score": 50, + "rule_id": "ac394dec-67e8-417f-bb06-ae0bd75556b0", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Signatures::Sensitive_Signature\" or rule.name: \"Signatures::Sensitive_Signature\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturessignature_summary.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturessignature_summary.json index 76fb44b6bd24a8..7fd878ceb6c7f8 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturessignature_summary.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturessignature_summary.json @@ -1,17 +1,17 @@ { - "rule_id": "d17fe857-eb67-4843-ab63-bf4852e49396", - "risk_score": 50, "description": "Summarize the number of times a host triggered a signature.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice Signatures::Signature_Summary", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Signatures::Signature_Summary\" or rule.name: \"Signatures::Signature_Summary\")", + "risk_score": 50, + "rule_id": "d17fe857-eb67-4843-ab63-bf4852e49396", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Signatures::Signature_Summary\" or rule.name: \"Signatures::Signature_Summary\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_smtpblocklist_blocked_host.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_smtpblocklist_blocked_host.json index b1b52dc6c08f2e..1e2579dfd1b4ec 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_smtpblocklist_blocked_host.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_smtpblocklist_blocked_host.json @@ -1,17 +1,17 @@ { - "rule_id": "402d5f78-82cd-4320-8b69-3185e44daf07", - "risk_score": 50, "description": "The originator’s address is seen in the block list error message. This is useful to detect local hosts sending SPAM with a high positive rate.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice SMTP::Blocklist_Blocked_Host", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SMTP::Blocklist_Blocked_Host\" or rule.name: \"SMTP::Blocklist_Blocked_Host\")", + "risk_score": 50, + "rule_id": "402d5f78-82cd-4320-8b69-3185e44daf07", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SMTP::Blocklist_Blocked_Host\" or rule.name: \"SMTP::Blocklist_Blocked_Host\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_smtpblocklist_error_message.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_smtpblocklist_error_message.json index 69adf95592dd72..ae4794bd5481f4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_smtpblocklist_error_message.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_smtpblocklist_error_message.json @@ -1,17 +1,17 @@ { - "rule_id": "b9bb4a93-8c5c-4942-9193-e2dc97230034", - "risk_score": 50, "description": "An SMTP server sent a reply mentioning an SMTP block list.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice SMTP::Blocklist_Error_Message", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SMTP::Blocklist_Error_Message\" or rule.name: \"SMTP::Blocklist_Error_Message\")", + "risk_score": 50, + "rule_id": "b9bb4a93-8c5c-4942-9193-e2dc97230034", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SMTP::Blocklist_Error_Message\" or rule.name: \"SMTP::Blocklist_Error_Message\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_smtpsuspicious_origination.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_smtpsuspicious_origination.json index 2414a8a7669a47..ed871f4aa68986 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_smtpsuspicious_origination.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_smtpsuspicious_origination.json @@ -1,17 +1,17 @@ { - "rule_id": "cc6e9fef-d936-4faf-8936-e576c089d8b2", - "risk_score": 50, "description": "SMTP message orignated from country or network configured to be suspicious.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice SMTP::Suspicious_Origination", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SMTP::Suspicious_Origination\" or rule.name: \"SMTP::Suspicious_Origination\")", + "risk_score": 50, + "rule_id": "cc6e9fef-d936-4faf-8936-e576c089d8b2", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SMTP::Suspicious_Origination\" or rule.name: \"SMTP::Suspicious_Origination\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_softwaresoftware_version_change.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_softwaresoftware_version_change.json index 87f1472a0420db..5a5cd3f48245f9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_softwaresoftware_version_change.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_softwaresoftware_version_change.json @@ -1,17 +1,17 @@ { - "rule_id": "ea1d2c1b-ecfe-42a5-bd0b-56c7a1bd8075", - "risk_score": 50, "description": "Indicates that an interesting software application changed versions on a host.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice Software::Software_Version_Change", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Software::Software_Version_Change\" or rule.name: \"Software::Software_Version_Change\")", + "risk_score": 50, + "rule_id": "ea1d2c1b-ecfe-42a5-bd0b-56c7a1bd8075", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Software::Software_Version_Change\" or rule.name: \"Software::Software_Version_Change\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_softwarevulnerable_version.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_softwarevulnerable_version.json index 24b803e654fcf5..8addd5ed395624 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_softwarevulnerable_version.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_softwarevulnerable_version.json @@ -1,17 +1,17 @@ { - "rule_id": "97b4d80c-7671-4301-85a6-954aa0ba96ce", - "risk_score": 50, "description": "Indicates that a vulnerable version of software was detected.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice Software::Vulnerable_Version", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Software::Vulnerable_Version\" or rule.name: \"Software::Vulnerable_Version\")", + "risk_score": 50, + "rule_id": "97b4d80c-7671-4301-85a6-954aa0ba96ce", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Software::Vulnerable_Version\" or rule.name: \"Software::Vulnerable_Version\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshinteresting_hostname_login.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshinteresting_hostname_login.json index 70e20f85d9b49d..f69ab099bf6d98 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshinteresting_hostname_login.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshinteresting_hostname_login.json @@ -1,17 +1,17 @@ { - "rule_id": "6a7f2b0a-3f24-4d58-aa84-243f1f0556d9", - "risk_score": 50, "description": "Generated if a login originates or responds with a host where the reverse hostname lookup resolves to a name matched by the SSH::interesting_hostnames regular expression.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice SSH::Interesting_Hostname_Login", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSH::Interesting_Hostname_Login\" or rule.name: \"SSH::Interesting_Hostname_Login\")", + "risk_score": 50, + "rule_id": "6a7f2b0a-3f24-4d58-aa84-243f1f0556d9", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSH::Interesting_Hostname_Login\" or rule.name: \"SSH::Interesting_Hostname_Login\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshlogin_by_password_guesser.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshlogin_by_password_guesser.json index 7d9402f7a1ec49..3b12aae2f4dd8a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshlogin_by_password_guesser.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshlogin_by_password_guesser.json @@ -1,17 +1,17 @@ { - "rule_id": "5600ad95-2244-43db-8a7d-77eea95f80db", - "risk_score": 50, "description": "Indicates that a host previously identified as a \"password guesser\" has now had a successful login attempt.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice SSH::Login_By_Password_Guesser", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSH::Login_By_Password_Guesser\" or rule.name: \"SSH::Login_By_Password_Guesser\")", + "risk_score": 50, + "rule_id": "5600ad95-2244-43db-8a7d-77eea95f80db", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSH::Login_By_Password_Guesser\" or rule.name: \"SSH::Login_By_Password_Guesser\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshpassword_guessing.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshpassword_guessing.json index 00c346bc0ecc7f..4fd7e8ec15ed70 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshpassword_guessing.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshpassword_guessing.json @@ -1,17 +1,17 @@ { - "rule_id": "e278142a-4ee7-4443-9b1f-421174b0dabf", - "risk_score": 50, "description": "Indicates that a host has been identified as crossing the SSH::password_guesses_limit threshold with failed logins.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice SSH::Password_Guessing", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSH::Password_Guessing\" or rule.name: \"SSH::Password_Guessing\")", + "risk_score": 50, + "rule_id": "e278142a-4ee7-4443-9b1f-421174b0dabf", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSH::Password_Guessing\" or rule.name: \"SSH::Password_Guessing\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshwatched_country_login.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshwatched_country_login.json index 943f56b7c93684..ecd57510441ae0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshwatched_country_login.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshwatched_country_login.json @@ -1,17 +1,17 @@ { - "rule_id": "983f4b7e-38cd-4d7f-8be6-40447431561e", - "risk_score": 50, "description": "SSH login was seen to or from a \"watched\" country based on the SSH::watched_countries variable", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice SSH::Watched_Country_Login", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSH::Watched_Country_Login\" or rule.name: \"SSH::Watched_Country_Login\")", + "risk_score": 50, + "rule_id": "983f4b7e-38cd-4d7f-8be6-40447431561e", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSH::Watched_Country_Login\" or rule.name: \"SSH::Watched_Country_Login\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslcertificate_expired.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslcertificate_expired.json index 030b56cc577827..0309896ed31eea 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslcertificate_expired.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslcertificate_expired.json @@ -1,17 +1,17 @@ { - "rule_id": "3981f48e-49a5-4a3e-9b44-900a0887526c", - "risk_score": 50, "description": "Indicates that a certificate’s NotValidAfter date has lapsed and the certificate is now invalid.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice SSL::Certificate_Expired", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Certificate_Expired\" or rule.name: \"SSL::Certificate_Expired\")", + "risk_score": 50, + "rule_id": "3981f48e-49a5-4a3e-9b44-900a0887526c", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Certificate_Expired\" or rule.name: \"SSL::Certificate_Expired\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslcertificate_expires_soon.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslcertificate_expires_soon.json index 702724abcfa643..8f76bdab1a7ea3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslcertificate_expires_soon.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslcertificate_expires_soon.json @@ -1,17 +1,17 @@ { - "rule_id": "e8207172-3478-4b2c-85b7-6f13d97fff43", - "risk_score": 50, "description": "Indicates that a certificate is going to expire within SSL::notify_when_cert_expiring_in.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice SSL::Certificate_Expires_Soon", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Certificate_Expires_Soon\" or rule.name: \"SSL::Certificate_Expires_Soon\")", + "risk_score": 50, + "rule_id": "e8207172-3478-4b2c-85b7-6f13d97fff43", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Certificate_Expires_Soon\" or rule.name: \"SSL::Certificate_Expires_Soon\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslcertificate_not_valid_yet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslcertificate_not_valid_yet.json index 258fb0cf78b604..785ba45744022c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslcertificate_not_valid_yet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslcertificate_not_valid_yet.json @@ -1,17 +1,17 @@ { - "rule_id": "45586490-99f6-4e11-8228-2229d727a3b4", - "risk_score": 50, "description": "Indicates that a certificate’s NotValidBefore date is future dated.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice SSL::Certificate_Not_Valid_Yet", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Certificate_Not_Valid_Yet\" or rule.name: \"SSL::Certificate_Not_Valid_Yet\")", + "risk_score": 50, + "rule_id": "45586490-99f6-4e11-8228-2229d727a3b4", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Certificate_Not_Valid_Yet\" or rule.name: \"SSL::Certificate_Not_Valid_Yet\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslinvalid_ocsp_response.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslinvalid_ocsp_response.json index 43c4b46e36c076..3704a1be0cd269 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslinvalid_ocsp_response.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslinvalid_ocsp_response.json @@ -1,17 +1,17 @@ { - "rule_id": "eb17fcbb-de22-4aa0-81aa-1c059bdd4f2b", - "risk_score": 50, "description": "This indicates that the OCSP response was not deemed to be valid.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice SSL::Invalid_Ocsp_Response", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Invalid_Ocsp_Response\" or rule.name: \"SSL::Invalid_Ocsp_Response\")", + "risk_score": 50, + "rule_id": "eb17fcbb-de22-4aa0-81aa-1c059bdd4f2b", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Invalid_Ocsp_Response\" or rule.name: \"SSL::Invalid_Ocsp_Response\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslinvalid_server_cert.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslinvalid_server_cert.json index 8c473f00076241..c068a3ecf0d82c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslinvalid_server_cert.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslinvalid_server_cert.json @@ -1,17 +1,17 @@ { - "rule_id": "13f51fe0-fc74-4c45-90f3-6fb1cd26ec66", - "risk_score": 50, "description": "This notice indicates that the result of validating the certificate along with its full certificate chain was invalid.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice SSL::Invalid_Server_Cert", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Invalid_Server_Cert\" or rule.name: \"SSL::Invalid_Server_Cert\")", + "risk_score": 50, + "rule_id": "13f51fe0-fc74-4c45-90f3-6fb1cd26ec66", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Invalid_Server_Cert\" or rule.name: \"SSL::Invalid_Server_Cert\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslold_version.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslold_version.json index ba60fa82a5baea..8d180115eadeac 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslold_version.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslold_version.json @@ -1,17 +1,17 @@ { - "rule_id": "260b680e-c3d6-4c03-90cd-03c86e9f8ec1", - "risk_score": 50, "description": "Indicates that a server is using a potentially unsafe version", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice SSL::Old_Version", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Old_Version\" or rule.name: \"SSL::Old_Version\")", + "risk_score": 50, + "rule_id": "260b680e-c3d6-4c03-90cd-03c86e9f8ec1", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Old_Version\" or rule.name: \"SSL::Old_Version\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslweak_cipher.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslweak_cipher.json index 786b42cb8db50d..602445d1463fe3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslweak_cipher.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslweak_cipher.json @@ -1,17 +1,17 @@ { - "rule_id": "25886074-6ae1-41c0-8546-e8cf55ed1b4b", - "risk_score": 50, "description": "Indicates that a server is using a potentially unsafe cipher", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice SSL::Weak_Cipher", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Weak_Cipher\" or rule.name: \"SSL::Weak_Cipher\")", + "risk_score": 50, + "rule_id": "25886074-6ae1-41c0-8546-e8cf55ed1b4b", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Weak_Cipher\" or rule.name: \"SSL::Weak_Cipher\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslweak_key.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslweak_key.json index 7120cfe5e81ad0..b88752e9b8c945 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslweak_key.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslweak_key.json @@ -1,17 +1,17 @@ { - "rule_id": "e020f504-c0e5-4768-8e1f-1e2ec7bac961", - "risk_score": 50, "description": "Indicates that a server is using a potentially unsafe key.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice SSL::Weak_Key", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Weak_Key\" or rule.name: \"SSL::Weak_Key\")", + "risk_score": 50, + "rule_id": "e020f504-c0e5-4768-8e1f-1e2ec7bac961", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Weak_Key\" or rule.name: \"SSL::Weak_Key\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_teamcymrumalwarehashregistrymatch.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_teamcymrumalwarehashregistrymatch.json index 47817a05ea5707..8a36b974dc4fc6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_teamcymrumalwarehashregistrymatch.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_teamcymrumalwarehashregistrymatch.json @@ -1,17 +1,17 @@ { - "rule_id": "a130a0ba-b083-4630-b0ea-cceb80d7720b", - "risk_score": 50, "description": "The hash value of a file transferred over HTTP matched in the malware hash registry.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice TeamCymruMalwareHashRegistry::Match", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"TeamCymruMalwareHashRegistry::Match\" or rule.name: \"TeamCymruMalwareHashRegistry::Match\")", + "risk_score": 50, + "rule_id": "a130a0ba-b083-4630-b0ea-cceb80d7720b", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"TeamCymruMalwareHashRegistry::Match\" or rule.name: \"TeamCymruMalwareHashRegistry::Match\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_traceroutedetected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_traceroutedetected.json index c676c84347cb55..ec05000118f35d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_traceroutedetected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_traceroutedetected.json @@ -1,17 +1,17 @@ { - "rule_id": "aeefe077-f05d-44a7-b757-272fc51c334c", - "risk_score": 50, "description": "Indicates that a host was seen running traceroutes.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice Traceroute::Detected", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Traceroute::Detected\" or rule.name: \"Traceroute::Detected\")", + "risk_score": 50, + "rule_id": "aeefe077-f05d-44a7-b757-272fc51c334c", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Traceroute::Detected\" or rule.name: \"Traceroute::Detected\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_weirdactivity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_weirdactivity.json index fc1da9e414cc5c..dcc5dfcf124ca0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_weirdactivity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_weirdactivity.json @@ -1,17 +1,17 @@ { - "rule_id": "d5ad39d0-8421-4f79-ad93-8ddbf7f553b3", - "risk_score": 50, "description": "Generic unusual but notice-worthy weird activity.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice Weird::Activity", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Weird::Activity\" or rule.name: \"Weird::Activity\")", + "risk_score": 50, + "rule_id": "d5ad39d0-8421-4f79-ad93-8ddbf7f553b3", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Weird::Activity\" or rule.name: \"Weird::Activity\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/regen_prepackge_rules_index.sh b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/regen_prepackge_rules_index.sh new file mode 100755 index 00000000000000..3bcf158703c7d7 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/regen_prepackge_rules_index.sh @@ -0,0 +1,33 @@ +#!/bin/sh + +set -e + +# Regenerates the index.ts that contains all of the rules that are read in from json + +PREPACKAGED_RULES_INDEX=../rules/prepackaged_rules/index.ts + +echo "/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +// Auto generated file from scripts/regen_prepackage_rules_index.sh +// Do not hand edit. Run that script to regenerate package information instead +" > ${PREPACKAGED_RULES_INDEX} + +RULE_NUMBER=1 +for f in ../rules/prepackaged_rules/*.json ; do + echo "import rule${RULE_NUMBER} from './$(basename -- "$f")';" >> ${PREPACKAGED_RULES_INDEX} + RULE_NUMBER=$[$RULE_NUMBER +1] +done + +echo "export const rawRules = [" >> ${PREPACKAGED_RULES_INDEX} + +RULE_NUMBER=1 +for f in ../rules/prepackaged_rules/*.json ; do + echo " rule${RULE_NUMBER}," >> ${PREPACKAGED_RULES_INDEX} + RULE_NUMBER=$[$RULE_NUMBER +1] +done + +echo "];" >> ${PREPACKAGED_RULES_INDEX} \ No newline at end of file From b9a0f958bcd63377704ea835ac06d5831ebd686b Mon Sep 17 00:00:00 2001 From: Joe Reuter Date: Wed, 15 Jan 2020 10:10:12 +0100 Subject: [PATCH 06/10] Reverse dependency of home plugin and apm/ml/cloud (#52883) --- .../core_plugins/kibana/public/home/index.ts | 2 +- .../kibana/public/home/kibana_services.ts | 3 +- .../home/np_ready/components/home_app.js | 11 ++- .../core_plugins/kibana/public/home/plugin.ts | 13 +++- .../visualize_embeddable_factory.tsx | 1 - .../new_platform/new_platform.karma_mock.js | 3 + src/plugins/home/public/index.ts | 2 +- src/plugins/home/public/plugin.test.mocks.ts | 3 + src/plugins/home/public/plugin.test.ts | 20 +++++- src/plugins/home/public/plugin.ts | 19 +++++ .../services/environment/environment.mock.ts | 54 ++++++++++++++ .../services/environment/environment.test.ts | 47 ++++++++++++ .../services/environment/environment.ts | 71 +++++++++++++++++++ .../home/public/services/environment/index.ts | 25 +++++++ src/plugins/home/public/services/index.ts | 1 + ..._feature.js => legacy_register_feature.ts} | 18 +++-- .../apm/public/new-platform/plugin.tsx | 2 +- .../plugins/ml/public/register_feature.js | 29 -------- .../plugins/ml/public/register_feature.ts | 28 ++++++++ x-pack/plugins/cloud/kibana.json | 2 +- x-pack/plugins/cloud/public/plugin.ts | 11 ++- 21 files changed, 313 insertions(+), 52 deletions(-) create mode 100644 src/plugins/home/public/services/environment/environment.mock.ts create mode 100644 src/plugins/home/public/services/environment/environment.test.ts create mode 100644 src/plugins/home/public/services/environment/environment.ts create mode 100644 src/plugins/home/public/services/environment/index.ts rename x-pack/legacy/plugins/apm/public/{legacy_register_feature.js => legacy_register_feature.ts} (53%) delete mode 100644 x-pack/legacy/plugins/ml/public/register_feature.js create mode 100644 x-pack/legacy/plugins/ml/public/register_feature.ts diff --git a/src/legacy/core_plugins/kibana/public/home/index.ts b/src/legacy/core_plugins/kibana/public/home/index.ts index bd3a0b38ec3f0e..b2d90f1444654a 100644 --- a/src/legacy/core_plugins/kibana/public/home/index.ts +++ b/src/legacy/core_plugins/kibana/public/home/index.ts @@ -73,6 +73,6 @@ let copiedLegacyCatalogue = false; }, }); instance.start(npStart.core, { - data: npStart.plugins.data, + ...npStart.plugins, }); })(); diff --git a/src/legacy/core_plugins/kibana/public/home/kibana_services.ts b/src/legacy/core_plugins/kibana/public/home/kibana_services.ts index 3ec095f4f26bf8..0eb55a3902edac 100644 --- a/src/legacy/core_plugins/kibana/public/home/kibana_services.ts +++ b/src/legacy/core_plugins/kibana/public/home/kibana_services.ts @@ -29,7 +29,7 @@ import { UiSettingsState, } from 'kibana/public'; import { UiStatsMetricType } from '@kbn/analytics'; -import { FeatureCatalogueEntry } from '../../../../../plugins/home/public'; +import { Environment, FeatureCatalogueEntry } from '../../../../../plugins/home/public'; export interface HomeKibanaServices { indexPatternService: any; @@ -61,6 +61,7 @@ export interface HomeKibanaServices { shouldShowTelemetryOptIn: boolean; docLinks: DocLinksStart; addBasePath: (url: string) => string; + environment: Environment; } let services: HomeKibanaServices | null = null; diff --git a/src/legacy/core_plugins/kibana/public/home/np_ready/components/home_app.js b/src/legacy/core_plugins/kibana/public/home/np_ready/components/home_app.js index 6532737cc02e84..e49f00b949da5b 100644 --- a/src/legacy/core_plugins/kibana/public/home/np_ready/components/home_app.js +++ b/src/legacy/core_plugins/kibana/public/home/np_ready/components/home_app.js @@ -28,22 +28,19 @@ import { HashRouter as Router, Switch, Route, Redirect } from 'react-router-dom' import { getTutorial } from '../load_tutorials'; import { replaceTemplateStrings } from './tutorial/replace_template_strings'; import { getServices } from '../../kibana_services'; -// TODO This is going to be refactored soon -// eslint-disable-next-line @kbn/eslint/no-restricted-paths -import { npSetup } from 'ui/new_platform'; export function HomeApp({ directories }) { const { getInjected, savedObjectsClient, getBasePath, addBasePath, + environment, telemetryOptInProvider: { setOptInNoticeSeen, getOptIn }, } = getServices(); - const { cloud } = npSetup.plugins; - const isCloudEnabled = !!(cloud && cloud.isCloudEnabled); + const isCloudEnabled = environment.cloud; + const mlEnabled = environment.ml; + const apmUiEnabled = environment.apmUi; - const apmUiEnabled = getInjected('apmUiEnabled', true); - const mlEnabled = getInjected('mlEnabled', false); const defaultAppId = getInjected('kbnDefaultAppId', 'discover'); const renderTutorialDirectory = props => { diff --git a/src/legacy/core_plugins/kibana/public/home/plugin.ts b/src/legacy/core_plugins/kibana/public/home/plugin.ts index a998e4d07ab156..42ab049eb5b3a8 100644 --- a/src/legacy/core_plugins/kibana/public/home/plugin.ts +++ b/src/legacy/core_plugins/kibana/public/home/plugin.ts @@ -23,7 +23,11 @@ import { UiStatsMetricType } from '@kbn/analytics'; import { DataPublicPluginStart } from 'src/plugins/data/public'; import { setServices } from './kibana_services'; import { KibanaLegacySetup } from '../../../../../plugins/kibana_legacy/public'; -import { FeatureCatalogueEntry } from '../../../../../plugins/home/public'; +import { + Environment, + FeatureCatalogueEntry, + HomePublicPluginStart, +} from '../../../../../plugins/home/public'; export interface LegacyAngularInjectedDependencies { telemetryOptInProvider: any; @@ -32,6 +36,7 @@ export interface LegacyAngularInjectedDependencies { export interface HomePluginStartDependencies { data: DataPublicPluginStart; + home: HomePublicPluginStart; } export interface HomePluginSetupDependencies { @@ -60,6 +65,7 @@ export interface HomePluginSetupDependencies { export class HomePlugin implements Plugin { private dataStart: DataPublicPluginStart | null = null; private savedObjectsClient: any = null; + private environment: Environment | null = null; setup( core: CoreSetup, @@ -86,6 +92,7 @@ export class HomePlugin implements Plugin { addBasePath: core.http.basePath.prepend, getBasePath: core.http.basePath.get, indexPatternService: this.dataStart!.indexPatterns, + environment: this.environment!, ...angularDependencies, }); const { renderApp } = await import('./np_ready/application'); @@ -94,8 +101,8 @@ export class HomePlugin implements Plugin { }); } - start(core: CoreStart, { data }: HomePluginStartDependencies) { - // TODO is this really the right way? I though the app context would give us those + start(core: CoreStart, { data, home }: HomePluginStartDependencies) { + this.environment = home.environment.get(); this.dataStart = data; this.savedObjectsClient = core.savedObjects.client; } diff --git a/src/legacy/core_plugins/kibana/public/visualize_embeddable/visualize_embeddable_factory.tsx b/src/legacy/core_plugins/kibana/public/visualize_embeddable/visualize_embeddable_factory.tsx index dd6723fb578afe..ebb9ce2cfdf6b2 100644 --- a/src/legacy/core_plugins/kibana/public/visualize_embeddable/visualize_embeddable_factory.tsx +++ b/src/legacy/core_plugins/kibana/public/visualize_embeddable/visualize_embeddable_factory.tsx @@ -23,7 +23,6 @@ import 'uiExports/docViews'; import 'uiExports/embeddableActions'; import 'uiExports/fieldFormatEditors'; import 'uiExports/fieldFormats'; -import 'uiExports/home'; import 'uiExports/indexManagement'; import 'uiExports/inspectorViews'; import 'uiExports/savedObjectTypes'; diff --git a/src/legacy/ui/public/new_platform/new_platform.karma_mock.js b/src/legacy/ui/public/new_platform/new_platform.karma_mock.js index 06424ea48a40f9..d3f74a540b9604 100644 --- a/src/legacy/ui/public/new_platform/new_platform.karma_mock.js +++ b/src/legacy/ui/public/new_platform/new_platform.karma_mock.js @@ -131,6 +131,9 @@ export const npSetup = { featureCatalogue: { register: sinon.fake(), }, + environment: { + update: sinon.fake(), + }, }, }, }; diff --git a/src/plugins/home/public/index.ts b/src/plugins/home/public/index.ts index 25e94c20c347b8..ca05c8b5f760e7 100644 --- a/src/plugins/home/public/index.ts +++ b/src/plugins/home/public/index.ts @@ -23,7 +23,7 @@ export { HomePublicPluginSetup, HomePublicPluginStart, } from './plugin'; -export { FeatureCatalogueEntry, FeatureCatalogueCategory } from './services'; +export { FeatureCatalogueEntry, FeatureCatalogueCategory, Environment } from './services'; import { HomePublicPlugin } from './plugin'; export const plugin = () => new HomePublicPlugin(); diff --git a/src/plugins/home/public/plugin.test.mocks.ts b/src/plugins/home/public/plugin.test.mocks.ts index a48ea8f7951366..461930ddfb80fe 100644 --- a/src/plugins/home/public/plugin.test.mocks.ts +++ b/src/plugins/home/public/plugin.test.mocks.ts @@ -18,8 +18,11 @@ */ import { featureCatalogueRegistryMock } from './services/feature_catalogue/feature_catalogue_registry.mock'; +import { environmentServiceMock } from './services/environment/environment.mock'; export const registryMock = featureCatalogueRegistryMock.create(); +export const environmentMock = environmentServiceMock.create(); jest.doMock('./services', () => ({ FeatureCatalogueRegistry: jest.fn(() => registryMock), + EnvironmentService: jest.fn(() => environmentMock), })); diff --git a/src/plugins/home/public/plugin.test.ts b/src/plugins/home/public/plugin.test.ts index fad6e8cf47bfec..34502d7d2c6cd8 100644 --- a/src/plugins/home/public/plugin.test.ts +++ b/src/plugins/home/public/plugin.test.ts @@ -17,13 +17,15 @@ * under the License. */ -import { registryMock } from './plugin.test.mocks'; +import { registryMock, environmentMock } from './plugin.test.mocks'; import { HomePublicPlugin } from './plugin'; describe('HomePublicPlugin', () => { beforeEach(() => { registryMock.setup.mockClear(); registryMock.start.mockClear(); + environmentMock.setup.mockClear(); + environmentMock.start.mockClear(); }); describe('setup', () => { @@ -32,6 +34,12 @@ describe('HomePublicPlugin', () => { expect(setup).toHaveProperty('featureCatalogue'); expect(setup.featureCatalogue).toHaveProperty('register'); }); + + test('wires up and returns environment service', async () => { + const setup = await new HomePublicPlugin().setup(); + expect(setup).toHaveProperty('environment'); + expect(setup.environment).toHaveProperty('update'); + }); }); describe('start', () => { @@ -45,5 +53,15 @@ describe('HomePublicPlugin', () => { }); expect(start.featureCatalogue.get).toBeDefined(); }); + + test('wires up and returns environment service', async () => { + const service = new HomePublicPlugin(); + await service.setup(); + const start = await service.start({ + application: { capabilities: { catalogue: {} } }, + } as any); + expect(environmentMock.start).toHaveBeenCalled(); + expect(start.environment.get).toBeDefined(); + }); }); }); diff --git a/src/plugins/home/public/plugin.ts b/src/plugins/home/public/plugin.ts index 40f2047ef00166..39a7f23826900b 100644 --- a/src/plugins/home/public/plugin.ts +++ b/src/plugins/home/public/plugin.ts @@ -19,6 +19,9 @@ import { CoreStart, Plugin } from 'src/core/public'; import { + EnvironmentService, + EnvironmentServiceSetup, + EnvironmentServiceStart, FeatureCatalogueRegistry, FeatureCatalogueRegistrySetup, FeatureCatalogueRegistryStart, @@ -26,10 +29,12 @@ import { export class HomePublicPlugin implements Plugin { private readonly featuresCatalogueRegistry = new FeatureCatalogueRegistry(); + private readonly environmentService = new EnvironmentService(); public async setup() { return { featureCatalogue: { ...this.featuresCatalogueRegistry.setup() }, + environment: { ...this.environmentService.setup() }, }; } @@ -40,6 +45,7 @@ export class HomePublicPlugin implements Plugin => { + const setup = { + update: jest.fn(), + }; + return setup; +}; + +const createStartMock = (): jest.Mocked => { + const start = { + get: jest.fn(), + }; + return start; +}; + +const createMock = (): jest.Mocked> => { + const service = { + setup: jest.fn(), + start: jest.fn(), + }; + service.setup.mockImplementation(createSetupMock); + service.start.mockImplementation(createStartMock); + return service; +}; + +export const environmentServiceMock = { + createSetup: createSetupMock, + createStart: createStartMock, + create: createMock, +}; diff --git a/src/plugins/home/public/services/environment/environment.test.ts b/src/plugins/home/public/services/environment/environment.test.ts new file mode 100644 index 00000000000000..f42eba782a760b --- /dev/null +++ b/src/plugins/home/public/services/environment/environment.test.ts @@ -0,0 +1,47 @@ +/* + * Licensed to Elasticsearch B.V. under one or more contributor + * license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright + * ownership. Elasticsearch B.V. licenses this file to you under + * the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +import { EnvironmentService } from './environment'; + +describe('EnvironmentService', () => { + describe('setup', () => { + test('allows multiple update calls', () => { + const setup = new EnvironmentService().setup(); + expect(() => { + setup.update({ ml: true }); + setup.update({ apmUi: true }); + }).not.toThrow(); + }); + }); + + describe('start', () => { + test('returns default values', () => { + const service = new EnvironmentService(); + expect(service.start().get()).toEqual({ ml: false, cloud: false, apmUi: false }); + }); + + test('returns last state of update calls', () => { + const service = new EnvironmentService(); + const setup = service.setup(); + setup.update({ ml: true, cloud: true }); + setup.update({ ml: false, apmUi: true }); + expect(service.start().get()).toEqual({ ml: false, cloud: true, apmUi: true }); + }); + }); +}); diff --git a/src/plugins/home/public/services/environment/environment.ts b/src/plugins/home/public/services/environment/environment.ts new file mode 100644 index 00000000000000..36c1afbca5e732 --- /dev/null +++ b/src/plugins/home/public/services/environment/environment.ts @@ -0,0 +1,71 @@ +/* + * Licensed to Elasticsearch B.V. under one or more contributor + * license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright + * ownership. Elasticsearch B.V. licenses this file to you under + * the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +/** @public */ +export interface Environment { + /** + * Flag whether the home app should advertize cloud features + */ + readonly cloud: boolean; + /** + * Flag whether the home app should advertize apm features + */ + readonly apmUi: boolean; + /** + * Flag whether the home app should advertize ml features + */ + readonly ml: boolean; +} + +export class EnvironmentService { + private environment = { + cloud: false, + apmUi: false, + ml: false, + }; + + public setup() { + return { + /** + * Update the environment to influence how the home app is presenting available features. + * This API should not be extended for new features and will be removed in future versions + * in favor of display specific extension apis. + * @deprecated + * @param update + */ + update: (update: Partial) => { + this.environment = Object.assign({}, this.environment, update); + }, + }; + } + + public start() { + return { + /** + * Retrieve the current environment home is running in. This API is only intended for internal + * use and is only exposed during a transition period of migrating the home app to the new platform. + * @deprecated + */ + get: (): Environment => this.environment, + }; + } +} + +export type EnvironmentServiceSetup = ReturnType; +export type EnvironmentServiceStart = ReturnType; diff --git a/src/plugins/home/public/services/environment/index.ts b/src/plugins/home/public/services/environment/index.ts new file mode 100644 index 00000000000000..ed20f6adb96c6a --- /dev/null +++ b/src/plugins/home/public/services/environment/index.ts @@ -0,0 +1,25 @@ +/* + * Licensed to Elasticsearch B.V. under one or more contributor + * license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright + * ownership. Elasticsearch B.V. licenses this file to you under + * the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +export { + EnvironmentService, + Environment, + EnvironmentServiceSetup, + EnvironmentServiceStart, +} from './environment'; diff --git a/src/plugins/home/public/services/index.ts b/src/plugins/home/public/services/index.ts index 3621b0912393a3..a6542dd066a67b 100644 --- a/src/plugins/home/public/services/index.ts +++ b/src/plugins/home/public/services/index.ts @@ -18,3 +18,4 @@ */ export * from './feature_catalogue'; +export * from './environment'; diff --git a/x-pack/legacy/plugins/apm/public/legacy_register_feature.js b/x-pack/legacy/plugins/apm/public/legacy_register_feature.ts similarity index 53% rename from x-pack/legacy/plugins/apm/public/legacy_register_feature.js rename to x-pack/legacy/plugins/apm/public/legacy_register_feature.ts index 6e98d0784bee1c..f12865399054e8 100644 --- a/x-pack/legacy/plugins/apm/public/legacy_register_feature.js +++ b/x-pack/legacy/plugins/apm/public/legacy_register_feature.ts @@ -4,13 +4,21 @@ * you may not use this file except in compliance with the Elastic License. */ -import { npStart } from 'ui/new_platform'; -import { FeatureCatalogueRegistryProvider } from 'ui/registry/feature_catalogue'; +import { npSetup } from 'ui/new_platform'; import { featureCatalogueEntry } from './new-platform/featureCatalogueEntry'; -const { core } = npStart; -const apmUiEnabled = core.injectedMetadata.getInjectedVar('apmUiEnabled'); +const { + core, + plugins: { home } +} = npSetup; +const apmUiEnabled = core.injectedMetadata.getInjectedVar( + 'apmUiEnabled' +) as boolean; if (apmUiEnabled) { - FeatureCatalogueRegistryProvider.register(() => featureCatalogueEntry); + home.featureCatalogue.register(featureCatalogueEntry); } + +home.environment.update({ + apmUi: apmUiEnabled +}); diff --git a/x-pack/legacy/plugins/apm/public/new-platform/plugin.tsx b/x-pack/legacy/plugins/apm/public/new-platform/plugin.tsx index 216af91fbb5914..de6cbc7d7a3358 100644 --- a/x-pack/legacy/plugins/apm/public/new-platform/plugin.tsx +++ b/x-pack/legacy/plugins/apm/public/new-platform/plugin.tsx @@ -17,6 +17,7 @@ import { Plugin, PluginInitializerContext } from '../../../../../../src/core/public'; +import { featureCatalogueEntry } from './featureCatalogueEntry'; import { DataPublicPluginSetup } from '../../../../../../src/plugins/data/public'; import { HomePublicPluginSetup } from '../../../../../../src/plugins/home/public'; import { LicensingPluginSetup } from '../../../../../plugins/licensing/public'; @@ -32,7 +33,6 @@ import { UrlParamsProvider } from '../context/UrlParamsContext'; import { createStaticIndexPattern } from '../services/rest/index_pattern'; import { px, unit, units } from '../style/variables'; import { history } from '../utils/history'; -import { featureCatalogueEntry } from './featureCatalogueEntry'; import { getConfigFromInjectedMetadata } from './getConfigFromInjectedMetadata'; import { setHelpExtension } from './setHelpExtension'; import { toggleAppLinkInNav } from './toggleAppLinkInNav'; diff --git a/x-pack/legacy/plugins/ml/public/register_feature.js b/x-pack/legacy/plugins/ml/public/register_feature.js deleted file mode 100644 index c8d2fd7f6f6763..00000000000000 --- a/x-pack/legacy/plugins/ml/public/register_feature.js +++ /dev/null @@ -1,29 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { - FeatureCatalogueRegistryProvider, - FeatureCatalogueCategory, -} from 'ui/registry/feature_catalogue'; - -import { i18n } from '@kbn/i18n'; - -FeatureCatalogueRegistryProvider.register(() => { - return { - id: 'ml', - title: i18n.translate('xpack.ml.machineLearningTitle', { - defaultMessage: 'Machine Learning', - }), - description: i18n.translate('xpack.ml.machineLearningDescription', { - defaultMessage: - 'Automatically model the normal behavior of your time series data to detect anomalies.', - }), - icon: 'machineLearningApp', - path: '/app/ml', - showOnHomePage: true, - category: FeatureCatalogueCategory.DATA, - }; -}); diff --git a/x-pack/legacy/plugins/ml/public/register_feature.ts b/x-pack/legacy/plugins/ml/public/register_feature.ts new file mode 100644 index 00000000000000..c75e37becbc0fd --- /dev/null +++ b/x-pack/legacy/plugins/ml/public/register_feature.ts @@ -0,0 +1,28 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { i18n } from '@kbn/i18n'; +import { npSetup } from 'ui/new_platform'; +import { FeatureCatalogueCategory } from '../../../../../src/plugins/home/public'; + +npSetup.plugins.home.featureCatalogue.register({ + id: 'ml', + title: i18n.translate('xpack.ml.machineLearningTitle', { + defaultMessage: 'Machine Learning', + }), + description: i18n.translate('xpack.ml.machineLearningDescription', { + defaultMessage: + 'Automatically model the normal behavior of your time series data to detect anomalies.', + }), + icon: 'machineLearningApp', + path: '/app/ml', + showOnHomePage: true, + category: FeatureCatalogueCategory.DATA, +}); + +npSetup.plugins.home.environment.update({ + ml: npSetup.core.injectedMetadata.getInjectedVar('mlEnabled') as boolean, +}); diff --git a/x-pack/plugins/cloud/kibana.json b/x-pack/plugins/cloud/kibana.json index 4b8b7bbf3186c3..27b35bcbdd88b9 100644 --- a/x-pack/plugins/cloud/kibana.json +++ b/x-pack/plugins/cloud/kibana.json @@ -3,7 +3,7 @@ "version": "8.0.0", "kibanaVersion": "kibana", "configPath": ["xpack", "cloud"], - "optionalPlugins": ["usageCollection"], + "optionalPlugins": ["usageCollection", "home"], "server": true, "ui": true } diff --git a/x-pack/plugins/cloud/public/plugin.ts b/x-pack/plugins/cloud/public/plugin.ts index 63f75ccd2ec946..f6408afb31493c 100644 --- a/x-pack/plugins/cloud/public/plugin.ts +++ b/x-pack/plugins/cloud/public/plugin.ts @@ -7,11 +7,16 @@ import { CoreSetup, CoreStart, Plugin, PluginInitializerContext } from 'src/core/public'; import { getIsCloudEnabled } from '../common/is_cloud_enabled'; import { ELASTIC_SUPPORT_LINK } from '../common/constants'; +import { HomePublicPluginSetup } from '../../../../src/plugins/home/public'; interface CloudConfigType { id?: string; } +interface CloudSetupDependencies { + home?: HomePublicPluginSetup; +} + export interface CloudSetup { cloudId?: string; isCloudEnabled: boolean; @@ -20,10 +25,14 @@ export interface CloudSetup { export class CloudPlugin implements Plugin { constructor(private readonly initializerContext: PluginInitializerContext) {} - public async setup(core: CoreSetup) { + public async setup(core: CoreSetup, { home }: CloudSetupDependencies) { const { id } = this.initializerContext.config.get(); const isCloudEnabled = getIsCloudEnabled(id); + if (home) { + home.environment.update({ cloud: isCloudEnabled }); + } + return { cloudId: id, isCloudEnabled, From f77b36206a73c2339b615fc0731280005530fe3c Mon Sep 17 00:00:00 2001 From: Matt Bargar Date: Wed, 15 Jan 2020 04:56:36 -0500 Subject: [PATCH 07/10] Add label and icon to nested fields in the doc table (#54199) * Apply label and icon to nested fields in the doc table * Include nested fields in the index pattern so we can identify them in the Discover UI * use color recommended by design * Fix unit tests * Update api integration test * Fix test comment Co-authored-by: Elastic Machine Co-authored-by: Tim Roes --- .../directives/field_name/field_type_name.ts | 4 ++++ .../field_caps_response.test.js | 12 +++++++----- .../field_capabilities/field_caps_response.ts | 2 +- .../public/field_icon/field_icon.tsx | 2 ++ .../fields_for_wildcard_route/response.js | 16 ++++++++++++++++ 5 files changed, 30 insertions(+), 6 deletions(-) diff --git a/src/legacy/ui/public/directives/field_name/field_type_name.ts b/src/legacy/ui/public/directives/field_name/field_type_name.ts index 14376b163d6f01..c8c886015cea32 100644 --- a/src/legacy/ui/public/directives/field_name/field_type_name.ts +++ b/src/legacy/ui/public/directives/field_name/field_type_name.ts @@ -61,6 +61,10 @@ export function getFieldTypeName(type: string) { return i18n.translate('common.ui.directives.fieldNameIcons.stringFieldAriaLabel', { defaultMessage: 'String field', }); + case 'nested': + return i18n.translate('common.ui.directives.fieldNameIcons.nestedFieldAriaLabel', { + defaultMessage: 'Nested field', + }); default: return i18n.translate('common.ui.directives.fieldNameIcons.unknownFieldAriaLabel', { defaultMessage: 'Unknown field', diff --git a/src/plugins/data/server/index_patterns/fetcher/lib/field_capabilities/field_caps_response.test.js b/src/plugins/data/server/index_patterns/fetcher/lib/field_capabilities/field_caps_response.test.js index 0d787fa56b400a..3ec903d5b18e43 100644 --- a/src/plugins/data/server/index_patterns/fetcher/lib/field_capabilities/field_caps_response.test.js +++ b/src/plugins/data/server/index_patterns/fetcher/lib/field_capabilities/field_caps_response.test.js @@ -37,7 +37,7 @@ describe('index_patterns/field_capabilities/field_caps_response', () => { describe('conflicts', () => { it('returns a field for each in response, no filtering', () => { const fields = readFieldCapsResponse(esResponse); - expect(fields).toHaveLength(24); + expect(fields).toHaveLength(25); }); it( @@ -68,8 +68,8 @@ describe('index_patterns/field_capabilities/field_caps_response', () => { sandbox.spy(shouldReadFieldFromDocValuesNS, 'shouldReadFieldFromDocValues'); const fields = readFieldCapsResponse(esResponse); const conflictCount = fields.filter(f => f.type === 'conflict').length; - // +2 is for the object and nested fields which get filtered out of the final return value from readFieldCapsResponse - sinon.assert.callCount(shouldReadFieldFromDocValues, fields.length - conflictCount + 2); + // +1 is for the object field which is filtered out of the final return value from readFieldCapsResponse + sinon.assert.callCount(shouldReadFieldFromDocValues, fields.length - conflictCount + 1); }); it('converts es types to kibana types', () => { @@ -159,10 +159,12 @@ describe('index_patterns/field_capabilities/field_caps_response', () => { }); }); - it('does not include the field actually mapped as nested itself', () => { + it('returns the nested parent as not searchable or aggregatable', () => { const fields = readFieldCapsResponse(esResponse); const child = fields.find(f => f.name === 'nested_object_parent'); - expect(child).toBeUndefined(); + expect(child.type).toBe('nested'); + expect(child.aggregatable).toBe(false); + expect(child.searchable).toBe(false); }); it('should not confuse object children for multi or nested field children', () => { diff --git a/src/plugins/data/server/index_patterns/fetcher/lib/field_capabilities/field_caps_response.ts b/src/plugins/data/server/index_patterns/fetcher/lib/field_capabilities/field_caps_response.ts index 2215bd8a95a1d0..0c8c2ce48fa844 100644 --- a/src/plugins/data/server/index_patterns/fetcher/lib/field_capabilities/field_caps_response.ts +++ b/src/plugins/data/server/index_patterns/fetcher/lib/field_capabilities/field_caps_response.ts @@ -195,6 +195,6 @@ export function readFieldCapsResponse(fieldCapsResponse: FieldCapsResponse): Fie }); return kibanaFormattedCaps.filter(field => { - return !['object', 'nested'].includes(field.type); + return !['object'].includes(field.type); }); } diff --git a/src/plugins/kibana_react/public/field_icon/field_icon.tsx b/src/plugins/kibana_react/public/field_icon/field_icon.tsx index 0c5d2b0c24831c..7c44fe89d0e7ff 100644 --- a/src/plugins/kibana_react/public/field_icon/field_icon.tsx +++ b/src/plugins/kibana_react/public/field_icon/field_icon.tsx @@ -36,6 +36,7 @@ interface FieldIconProps { | 'number' | '_source' | 'string' + | 'nested' | string; label?: string; size?: IconSize; @@ -61,6 +62,7 @@ export const typeToEuiIconMap: Partial> = { number: { icon: 'number', color: colors[0] }, _source: { icon: 'editorCodeBlock', color: colors[3] }, string: { icon: 'string', color: colors[4] }, + nested: { icon: 'nested', color: colors[2] }, }; /** diff --git a/test/api_integration/apis/index_patterns/fields_for_wildcard_route/response.js b/test/api_integration/apis/index_patterns/fields_for_wildcard_route/response.js index 25a533d39dd81c..555056173ec62f 100644 --- a/test/api_integration/apis/index_patterns/fields_for_wildcard_route/response.js +++ b/test/api_integration/apis/index_patterns/fields_for_wildcard_route/response.js @@ -71,6 +71,14 @@ export default function({ getService }) { name: 'foo', readFromDocValues: true, }, + { + aggregatable: false, + esTypes: ['nested'], + name: 'nestedField', + readFromDocValues: false, + searchable: false, + type: 'nested', + }, { aggregatable: false, esTypes: ['keyword'], @@ -153,6 +161,14 @@ export default function({ getService }) { name: 'foo', readFromDocValues: true, }, + { + aggregatable: false, + esTypes: ['nested'], + name: 'nestedField', + readFromDocValues: false, + searchable: false, + type: 'nested', + }, { aggregatable: false, esTypes: ['keyword'], From 33713cbdc0b00939ed679db905b50b691c5e6df4 Mon Sep 17 00:00:00 2001 From: CJ Cenizal Date: Wed, 15 Jan 2020 02:28:38 -0800 Subject: [PATCH 08/10] Skip flakey index template component integration tests. (#54878) --- .../__jest__/client_integration/template_edit.test.tsx | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/x-pack/legacy/plugins/index_management/__jest__/client_integration/template_edit.test.tsx b/x-pack/legacy/plugins/index_management/__jest__/client_integration/template_edit.test.tsx index b0e66f79675cf7..537b0d8ef41563 100644 --- a/x-pack/legacy/plugins/index_management/__jest__/client_integration/template_edit.test.tsx +++ b/x-pack/legacy/plugins/index_management/__jest__/client_integration/template_edit.test.tsx @@ -128,7 +128,8 @@ describe('', () => { expect(nameInput.props().disabled).toEqual(true); }); - describe('form payload', () => { + // TODO: Flakey test + describe.skip('form payload', () => { beforeEach(async () => { const { actions, component, find, form } = testBed; From d082c03e9d1b39c54b2ef9449418e48324606084 Mon Sep 17 00:00:00 2001 From: Dima Arnautov Date: Wed, 15 Jan 2020 13:42:35 +0100 Subject: [PATCH 09/10] [ML] Calculate model memory limit API integration tests (#54557) * [ML] calculate model memory limit api integration tests * [ML] extra test cases --- .../apis/ml/calculate_model_memory_limit.ts | 162 ++++++++++++++++++ x-pack/test/api_integration/apis/ml/index.ts | 1 + 2 files changed, 163 insertions(+) create mode 100644 x-pack/test/api_integration/apis/ml/calculate_model_memory_limit.ts diff --git a/x-pack/test/api_integration/apis/ml/calculate_model_memory_limit.ts b/x-pack/test/api_integration/apis/ml/calculate_model_memory_limit.ts new file mode 100644 index 00000000000000..b725996533732f --- /dev/null +++ b/x-pack/test/api_integration/apis/ml/calculate_model_memory_limit.ts @@ -0,0 +1,162 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import expect from '@kbn/expect'; + +import { FtrProviderContext } from '../../ftr_provider_context'; + +const COMMON_HEADERS = { + 'kbn-xsrf': 'some-xsrf-token', +}; + +const testDataList = [ + { + testTitleSuffix: 'with 0 metrics, 0 influencers and no split field', + requestBody: { + indexPattern: 'ecommerce', + splitFieldName: '', + query: { bool: { must: [{ match_all: {} }], filter: [], must_not: [] } }, + fieldNames: ['__ml_event_rate_count__'], + influencerNames: [], + timeFieldName: 'order_date', + earliestMs: 1560297859000, + latestMs: 1562975136000, + }, + expected: { + responseCode: 400, + responseBody: { + statusCode: 400, + error: 'Bad Request', + message: "[illegal_argument_exception] specified fields can't be null or empty", + }, + }, + }, + { + testTitleSuffix: 'with 1 metrics and 1 influencers same as split field', + requestBody: { + indexPattern: 'ecommerce', + splitFieldName: 'geoip.city_name', + query: { bool: { must: [{ match_all: {} }], filter: [], must_not: [] } }, + fieldNames: ['products.base_price'], + influencerNames: ['geoip.city_name'], + timeFieldName: 'order_date', + earliestMs: 1560297859000, + latestMs: 1562975136000, + }, + expected: { + responseCode: 200, + responseBody: { modelMemoryLimit: '12MB' }, + }, + }, + { + testTitleSuffix: 'with 3 metrics, 3 influencers, split by city', + requestBody: { + indexPattern: 'ecommerce', + splitFieldName: 'geoip.city_name', + query: { bool: { must: [{ match_all: {} }], filter: [], must_not: [] } }, + fieldNames: ['products.base_price', 'taxful_total_price', 'products.discount_amount'], + influencerNames: ['geoip.city_name', 'customer_gender', 'customer_full_name.keyword'], + timeFieldName: 'order_date', + earliestMs: 1560297859000, + latestMs: 1562975136000, + }, + expected: { + responseCode: 200, + responseBody: { modelMemoryLimit: '14MB' }, + }, + }, + { + testTitleSuffix: 'with 4 metrics, 4 influencers, split by customer_id', + requestBody: { + indexPattern: 'ecommerce', + splitFieldName: 'customer_id', + query: { bool: { must: [{ match_all: {} }], filter: [], must_not: [] } }, + fieldNames: [ + 'geoip.country_iso_code', + 'taxless_total_price', + 'taxful_total_price', + 'products.discount_amount', + ], + influencerNames: [ + 'customer_id', + 'geoip.country_iso_code', + 'products.discount_percentage', + 'products.discount_amount', + ], + timeFieldName: 'order_date', + earliestMs: 1560297859000, + latestMs: 1562975136000, + }, + expected: { + responseCode: 200, + responseBody: { modelMemoryLimit: '23MB' }, + }, + }, + { + testTitleSuffix: + 'with 4 metrics, 4 influencers, split by customer_id and filtering by country code', + requestBody: { + indexPattern: 'ecommerce', + splitFieldName: 'customer_id', + query: { + bool: { + filter: { + term: { + 'geoip.country_iso_code': 'US', + }, + }, + }, + }, + fieldNames: [ + 'geoip.country_iso_code', + 'taxless_total_price', + 'taxful_total_price', + 'products.discount_amount', + ], + influencerNames: [ + 'customer_id', + 'geoip.country_iso_code', + 'products.discount_percentage', + 'products.discount_amount', + ], + timeFieldName: 'order_date', + earliestMs: 1560297859000, + latestMs: 1562975136000, + }, + expected: { + responseCode: 200, + responseBody: { modelMemoryLimit: '14MB' }, + }, + }, +]; + +// eslint-disable-next-line import/no-default-export +export default ({ getService }: FtrProviderContext) => { + const esArchiver = getService('esArchiver'); + const supertest = getService('supertest'); + + describe('calculate model memory limit', () => { + before(async () => { + await esArchiver.load('ml/ecommerce'); + }); + + after(async () => { + await esArchiver.unload('ml/ecommerce'); + }); + + for (const testData of testDataList) { + it(`calculates the model memory limit ${testData.testTitleSuffix}`, async () => { + const { body } = await supertest + .post('/api/ml/validate/calculate_model_memory_limit') + .set(COMMON_HEADERS) + .send(testData.requestBody) + .expect(testData.expected.responseCode); + + expect(body).to.eql(testData.expected.responseBody); + }); + } + }); +}; diff --git a/x-pack/test/api_integration/apis/ml/index.ts b/x-pack/test/api_integration/apis/ml/index.ts index 2e0521e2b82737..9fff4ca8436b06 100644 --- a/x-pack/test/api_integration/apis/ml/index.ts +++ b/x-pack/test/api_integration/apis/ml/index.ts @@ -11,5 +11,6 @@ export default function({ loadTestFile }: FtrProviderContext) { this.tags(['mlqa']); loadTestFile(require.resolve('./bucket_span_estimator')); + loadTestFile(require.resolve('./calculate_model_memory_limit')); }); } From d10d6286ee526c0779eaa9420d9cc36d3cc05e85 Mon Sep 17 00:00:00 2001 From: Rudolf Meijering Date: Wed, 15 Jan 2020 14:29:50 +0100 Subject: [PATCH 10/10] [skip-ci] Core conventions (#52397) * Table of contents for conventions * Add Core Conventions * Add Tests and mocks section * Update src/core/CORE_CONVENTIONS.md Typo Co-Authored-By: Josh Dover * Add pro's/con's for alternatives to private fields support Co-authored-by: Josh Dover --- src/core/CONVENTIONS.md | 8 +- src/core/CORE_CONVENTIONS.md | 140 +++++++++++++++++++++++++++++++++++ 2 files changed, 147 insertions(+), 1 deletion(-) create mode 100644 src/core/CORE_CONVENTIONS.md diff --git a/src/core/CONVENTIONS.md b/src/core/CONVENTIONS.md index 18f82766bdbc16..61c5d5b076a446 100644 --- a/src/core/CONVENTIONS.md +++ b/src/core/CONVENTIONS.md @@ -1,6 +1,12 @@ # Kibana Conventions -- [Plugin Structure](#plugin-structure) +- [Kibana Conventions](#kibana-conventions) + - [Plugin Structure](#plugin-structure) + - [The PluginInitializer](#the-plugininitializer) + - [The Plugin class](#the-plugin-class) + - [Applications](#applications) + - [Services](#services) + - [Usage Collection](#usage-collection) ## Plugin Structure diff --git a/src/core/CORE_CONVENTIONS.md b/src/core/CORE_CONVENTIONS.md new file mode 100644 index 00000000000000..76f3be1595258d --- /dev/null +++ b/src/core/CORE_CONVENTIONS.md @@ -0,0 +1,140 @@ +- [Core Conventions](#core-conventions) + - [1. Exposing API Types](#1-exposing-api-types) + - [2. API Structure and nesting](#2-api-structure-and-nesting) + - [3. Tests and mocks](#3-tests-and-mocks) + +# Core Conventions + +This document contains conventions for development inside `src/core`. Although +many of these might be more widely applicable, adoption within the rest of +Kibana is not the primary objective. + +## 1. Exposing API Types +The following section applies to the types that describe the entire surface +area of Core API's and does not apply to internal types. + + - 1.1 All API types must be exported from the top-level `server` or `public` + directories. + + ```ts + // -- good -- + import { IRouter } from 'src/core/server'; + + // -- bad -- + import { IRouter } from 'src/core/server/http/router.ts'; + ``` + + > Why? This is required for generating documentation from our inline + > typescript doc comments, makes it easier for API consumers to find the + > relevant types and creates a clear distinction between external and + > internal types. + + - 1.2 Classes must not be exposed directly. Instead, use a separate type, + prefixed with an 'I', to describe the public contract of the class. + + ```ts + // -- good (alternative 1) -- + /** + * @public + * {@link UiSettingsClient} + */ + export type IUiSettingsClient = PublicContractOf; + + /** internal only */ + export class UiSettingsClient { + constructor(private setting: string) {} + /** Retrieve all settings */ + public getSettings(): { return this.settings; } + }; + + // -- good (alternative 2) -- + export interface IUiSettingsClient { + /** Retrieve all settings */ + public getSettings(): string; + } + + export class UiSettingsClient implements IUiSettingsClient { + public getSettings(): string; + } + + // -- bad -- + /** external */ + export class UiSettingsClient { + constructor(private setting: string) {} + public getSettings(): { return this.settings; } + } + ``` + + > Why? Classes' private members form part of their type signature making it + > impossible to mock a dependency typed as a `class`. + > + > Until we can use ES private field support in Typescript 3.8 + > https://github.com/elastic/kibana/issues/54906 we have two alternatives + > each with their own pro's and cons: + > + > #### Using a derived class (alternative 1) + > + > Pro's: + > - TSDoc comments are located with the source code + > - The class acts as a single source of type information + > + > Con's: + > - "Go to definition" first takes you to where the type gets derived + > requiring a second "Go to definition" to navigate to the type source. + > + > #### Using a separate interface (alternative 2) + > Pro's: + > - Creates an explicit external API contract + > - "Go to definition" will take you directly to the type definition. + > + > Con's: + > - TSDoc comments are located with the interface not next to the + > implementation source code. + > - Creates duplicate type information between the interface and + > implementation class. + +## 2. API Structure and nesting + - 2.1 Nest API methods into their own namespace only if we expect we will be + adding additional methods to that namespace. + + ```ts + // good + core.overlays.openFlyout(...); + core.overlays.openModal(...); + core.overlays.banners.add(...); + core.overlays.banners.remove(...); + core.overlays.banners.replace(...); + + // bad + core.overlays.flyouts.open(...); + core.overlays.modals.open(...); + ``` + + > Why? Nested namespaces should facilitate discovery and navigation for + > consumers of the API. Having namespaces with a single method, effectively + > hides the method under an additional layer without improving the + > organization. However, introducing namespaces early on can avoid API + > churn when we know related API methods will be introduced. + +## 3. Tests and mocks + - 3.1 Declare Jest mocks with a temporary variable to ensure types are + correctly inferred. + + ```ts + // -- good -- + const createMock => { + const mocked: jest.Mocked = { + start: jest.fn(), + }; + mocked.start.mockReturnValue(createStartContractMock()); + return mocked; + }; + // -- bad -- + const createMock = (): jest.Mocked => ({ + start: jest.fn().mockReturnValue(createSetupContractMock()), + }); + ``` + + > Why? Without the temporary variable, Jest types the `start` function as + > `jest` and, as a result, doesn't typecheck the mock return + > value.