rule import

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json

@@ -7,7 +7,6 @@
     "apm-*-transaction*"
   ],
   "language": "kuery",
-  "max_signals": 100,
   "name": "Web Application Suspicious Activity: POST Request Declined",
   "query": "http.response.status_code:403 and http.request.method:post",
   "references": [
@@ -17,9 +16,9 @@
   "rule_id": "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e",
   "severity": "medium",
   "tags": [
-    "Elastic",
-    "APM"
+    "APM",
+    "Elastic"
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json

@@ -7,7 +7,6 @@
     "apm-*-transaction*"
   ],
   "language": "kuery",
-  "max_signals": 100,
   "name": "Web Application Suspicious Activity: Unauthorized Method",
   "query": "http.response.status_code:405",
   "references": [
@@ -17,9 +16,9 @@
   "rule_id": "75ee75d8-c180-481c-ba88-ee50129a6aef",
   "severity": "medium",
   "tags": [
-    "Elastic",
-    "APM"
+    "APM",
+    "Elastic"
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_adversary_behavior_detected.json

@@ -6,7 +6,6 @@
   ],
   "interval": "10m",
   "language": "kuery",
-  "max_signals": 100,
   "name": "Adversary Behavior - Detected - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:rules_engine_event",
   "risk_score": 47,
@@ -18,4 +17,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_detected.json

@@ -6,7 +6,6 @@
   ],
   "interval": "10m",
   "language": "kuery",
-  "max_signals": 100,
   "name": "Credential Dumping - Detected - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:cred_theft_event and endgame.metadata.type:detection",
   "risk_score": 73,
@@ -18,4 +17,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_prevented.json

@@ -6,7 +6,6 @@
   ],
   "interval": "10m",
   "language": "kuery",
-  "max_signals": 100,
   "name": "Credential Dumping - Prevented - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:cred_theft_event and endgame.metadata.type:prevention",
   "risk_score": 47,
@@ -18,4 +17,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_detected.json

@@ -6,7 +6,6 @@
   ],
   "interval": "10m",
   "language": "kuery",
-  "max_signals": 100,
   "name": "Credential Manipulation - Detected - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:token_manipulation_event and endgame.metadata.type:detection",
   "risk_score": 73,
@@ -18,4 +17,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_prevented.json

@@ -6,7 +6,6 @@
   ],
   "interval": "10m",
   "language": "kuery",
-  "max_signals": 100,
   "name": "Credential Manipulation - Prevented - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:token_manipulation_event and endgame.metadata.type:prevention",
   "risk_score": 47,
@@ -18,4 +17,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_detected.json

@@ -6,7 +6,6 @@
   ],
   "interval": "10m",
   "language": "kuery",
-  "max_signals": 100,
   "name": "Exploit - Detected - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:exploit_event and endgame.metadata.type:detection",
   "risk_score": 73,
@@ -18,4 +17,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_prevented.json

@@ -6,7 +6,6 @@
   ],
   "interval": "10m",
   "language": "kuery",
-  "max_signals": 100,
   "name": "Exploit - Prevented - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:exploit_event and endgame.metadata.type:prevention",
   "risk_score": 47,
@@ -18,4 +17,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_detected.json

@@ -6,7 +6,6 @@
   ],
   "interval": "10m",
   "language": "kuery",
-  "max_signals": 100,
   "name": "Malware - Detected - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:file_classification_event and endgame.metadata.type:detection",
   "risk_score": 99,
@@ -18,4 +17,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_prevented.json

@@ -6,7 +6,6 @@
   ],
   "interval": "10m",
   "language": "kuery",
-  "max_signals": 100,
   "name": "Malware - Prevented - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:file_classification_event and endgame.metadata.type:prevention",
   "risk_score": 73,
@@ -18,4 +17,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_detected.json

@@ -6,7 +6,6 @@
   ],
   "interval": "10m",
   "language": "kuery",
-  "max_signals": 100,
   "name": "Permission Theft - Detected - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:token_protection_event and endgame.metadata.type:detection",
   "risk_score": 73,
@@ -18,4 +17,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_prevented.json

@@ -6,7 +6,6 @@
   ],
   "interval": "10m",
   "language": "kuery",
-  "max_signals": 100,
   "name": "Permission Theft - Prevented - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:token_protection_event and endgame.metadata.type:prevention",
   "risk_score": 47,
@@ -18,4 +17,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_detected.json

@@ -6,7 +6,6 @@
   ],
   "interval": "10m",
   "language": "kuery",
-  "max_signals": 100,
   "name": "Process Injection - Detected - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:kernel_shellcode_event and endgame.metadata.type:detection",
   "risk_score": 73,
@@ -18,4 +17,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_prevented.json

@@ -6,7 +6,6 @@
   ],
   "interval": "10m",
   "language": "kuery",
-  "max_signals": 100,
   "name": "Process Injection - Prevented - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:kernel_shellcode_event and endgame.metadata.type:prevention",
   "risk_score": 47,
@@ -18,4 +17,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_detected.json

@@ -6,7 +6,6 @@
   ],
   "interval": "10m",
   "language": "kuery",
-  "max_signals": 100,
   "name": "Ransomware - Detected - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:ransomware_event and endgame.metadata.type:detection",
   "risk_score": 99,
@@ -18,4 +17,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_prevented.json

@@ -6,7 +6,6 @@
   ],
   "interval": "10m",
   "language": "kuery",
-  "max_signals": 100,
   "name": "Ransomware - Prevented - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:ransomware_event and endgame.metadata.type:prevention",
   "risk_score": 73,
@@ -18,4 +17,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json

@@ -4,9 +4,8 @@
     "winlogbeat-*"
   ],
   "language": "kuery",
-  "max_signals": 100,
   "name": "Adding Hidden File Attribute via Attrib",
-  "query": "    event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"attrib.exe\" and process.args:\"+h\"",
+  "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:attrib.exe and process.args:+h",
   "risk_score": 21,
   "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db",
   "severity": "low",
@@ -48,4 +47,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json

@@ -4,7 +4,6 @@
     "winlogbeat-*"
   ],
   "language": "kuery",
-  "max_signals": 100,
   "name": "Adobe Hijack Persistence",
   "query": "file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and event.action:\"File created (rule: FileCreate)\" and not process.name:msiexec.exe",
   "risk_score": 21,
@@ -33,4 +32,4 @@
   ],
   "type": "query",
   "version": 2
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json

@@ -4,9 +4,8 @@
     "winlogbeat-*"
   ],
   "language": "kuery",
-  "max_signals": 100,
   "name": "Clearing Windows Event Logs",
-  "query": "event.action:\"Process Create (rule: ProcessCreate)\" and (process.name:\"wevtutil.exe\" and process.args:\"cl\") or (process.name:\"powershell.exe\" and process.args:\"Clear-EventLog\")",
+  "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:wevtutil.exe and process.args:cl or process.name:powershell.exe and process.args:Clear-EventLog",
   "risk_score": 21,
   "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61",
   "severity": "low",
@@ -33,4 +32,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json

@@ -4,9 +4,8 @@
     "winlogbeat-*"
   ],
   "language": "kuery",
-  "max_signals": 100,
   "name": "Delete Volume USN Journal with Fsutil",
-  "query": "event.action:\"Process Create (rule: ProcessCreate)\"  and   process.name:\"fsutil.exe\" and    process.args:(\"usn\" and \"deletejournal\")",
+  "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:fsutil.exe and process.args:(deletejournal and usn)",
   "risk_score": 21,
   "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92",
   "severity": "low",
@@ -33,4 +32,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json

@@ -4,9 +4,8 @@
     "winlogbeat-*"
   ],
   "language": "kuery",
-  "max_signals": 100,
   "name": "Deleting Backup Catalogs with Wbadmin",
-  "query": "event.action:\"Process Create (rule: ProcessCreate)\"  and process.name:\"wbadmin.exe\" and  process.args:(\"delete\" and \"catalog\")",
+  "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:wbadmin.exe and process.args:(catalog and delete)",
   "risk_score": 21,
   "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59",
   "severity": "low",
@@ -33,4 +32,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json

@@ -4,9 +4,8 @@
     "winlogbeat-*"
   ],
   "language": "kuery",
-  "max_signals": 100,
   "name": "Direct Outbound SMB Connection",
-  "query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and destination.port:445 and   not process.pid:4 and not destination.ip:(\"127.0.0.1\" or \"::1\")",
+  "query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and destination.port:445 and not process.pid:4 and not destination.ip:(127.0.0.1 or \"::1\")",
   "risk_score": 47,
   "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1",
   "severity": "medium",
@@ -33,4 +32,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json

@@ -4,9 +4,8 @@
     "winlogbeat-*"
   ],
   "language": "kuery",
-  "max_signals": 100,
   "name": "Disable Windows Firewall Rules via Netsh",
-  "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"netsh.exe\" and process.args:(\"firewall\" and \"set\" and \"disable\") or process.args:(\"advfirewall\" and \"state\" and \"off\")",
+  "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:netsh.exe and process.args:(disable and firewall and set) or process.args:(advfirewall and off and state)",
   "risk_score": 47,
   "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9",
   "severity": "medium",
@@ -33,4 +32,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}