[Detection Rules] Add 7.14 rules (#106933)

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_403_response_to_a_post.json

@@ -7,7 +7,8 @@
     "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
   ],
   "index": [
-    "apm-*-transaction*"
+    "apm-*-transaction*",
+    "traces-apm*"
   ],
   "language": "kuery",
   "license": "Elastic License v2",
@@ -25,5 +26,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 6
+  "version": 7
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_405_response_method_not_allowed.json

@@ -7,7 +7,8 @@
     "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
   ],
   "index": [
-    "apm-*-transaction*"
+    "apm-*-transaction*",
+    "traces-apm*"
   ],
   "language": "kuery",
   "license": "Elastic License v2",
@@ -25,5 +26,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 6
+  "version": 7
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_null_user_agent.json

@@ -25,7 +25,8 @@
     }
   ],
   "index": [
-    "apm-*-transaction*"
+    "apm-*-transaction*",
+    "traces-apm*"
   ],
   "language": "kuery",
   "license": "Elastic License v2",
@@ -43,5 +44,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 6
+  "version": 7
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_sqlmap_user_agent.json

@@ -7,7 +7,8 @@
     "This rule does not indicate that a SQL injection attack occurred, only that the `sqlmap` tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity."
   ],
   "index": [
-    "apm-*-transaction*"
+    "apm-*-transaction*",
+    "traces-apm*"
   ],
   "language": "kuery",
   "license": "Elastic License v2",
@@ -25,5 +26,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 6
+  "version": 7
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_cobalt_strike_beacon.json

@@ -6,8 +6,12 @@
   "false_positives": [
     "This rule should be tailored to either exclude systems, as sources or destinations, in which this behavior is expected."
   ],
+  "from": "now-9m",
   "index": [
-    "packetbeat-*"
+    "auditbeat-*",
+    "filebeat-*",
+    "packetbeat-*",
+    "logs-endpoint.events.*"
   ],
   "language": "lucene",
   "license": "Elastic License v2",
@@ -25,7 +29,8 @@
     "Elastic",
     "Network",
     "Threat Detection",
-    "Command and Control"
+    "Command and Control",
+    "Host"
   ],
   "threat": [
     {
@@ -58,5 +63,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 5
+  "version": 6
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_cobalt_strike_default_teamserver_cert.json

@@ -2,10 +2,13 @@
   "author": [
     "Elastic"
   ],
-  "description": "This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for Adversary Simulations and Red Team Operations which are security assessments that replicate the tactics and techniques of an advanced adversary in a network. If using Filebeat, this rule requires the Suricata or Zeek modules. Modifications to the Packetbeat configuration can be made to include MD5 and SHA256 hashing algorithms (the default is SHA1) - see the Reference section for additional information on module configuration.",
+  "description": "This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for Adversary Simulations and Red Team Operations which are security assessments that replicate the tactics and techniques of an advanced adversary in a network. Modifications to the Packetbeat configuration can be made to include MD5 and SHA256 hashing algorithms (the default is SHA1) - see the Reference section for additional information on module configuration.",
+  "from": "now-9m",
   "index": [
+    "auditbeat-*",
     "filebeat-*",
-    "packetbeat-*"
+    "packetbeat-*",
+    "logs-endpoint.events.*"
   ],
   "language": "kuery",
   "license": "Elastic License v2",
@@ -27,7 +30,8 @@
     "Post-Execution",
     "Threat Detection",
     "Elastic",
-    "Network"
+    "Network",
+    "Host"
   ],
   "threat": [
     {
@@ -55,5 +59,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 4
+  "version": 5
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_dns_directly_to_the_internet.json

@@ -6,9 +6,12 @@
   "false_positives": [
     "Exclude DNS servers from this rule as this is expected behavior. Endpoints usually query local DNS servers defined in their DHCP scopes, but this may be overridden if a user configures their endpoint to use a remote DNS server. This is uncommon in managed enterprise networks because it could break intranet name resolution when split horizon DNS is utilized. Some consumer VPN services and browser plug-ins may send DNS traffic to remote Internet destinations. In that case, such devices or networks can be excluded from this rule when this is expected behavior."
   ],
+  "from": "now-9m",
   "index": [
+    "auditbeat-*",
     "filebeat-*",
-    "packetbeat-*"
+    "packetbeat-*",
+    "logs-endpoint.events.*"
   ],
   "language": "kuery",
   "license": "Elastic License v2",
@@ -26,7 +29,8 @@
     "Elastic",
     "Network",
     "Threat Detection",
-    "Command and Control"
+    "Command and Control",
+    "Host"
   ],
   "threat": [
     {
@@ -41,5 +45,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 9
+  "version": 10
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_download_rar_powershell_from_internet.json

@@ -6,8 +6,12 @@
   "false_positives": [
     "Downloading RAR or PowerShell files from the Internet may be expected for certain systems. This rule should be tailored to either exclude systems as sources or destinations in which this behavior is expected."
   ],
+  "from": "now-9m",
   "index": [
-    "packetbeat-*"
+    "auditbeat-*",
+    "filebeat-*",
+    "packetbeat-*",
+    "logs-endpoint.events.*"
   ],
   "language": "lucene",
   "license": "Elastic License v2",
@@ -26,7 +30,8 @@
     "Elastic",
     "Network",
     "Threat Detection",
-    "Command and Control"
+    "Command and Control",
+    "Host"
   ],
   "threat": [
     {
@@ -47,5 +52,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 5
+  "version": 6
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_fin7_c2_behavior.json

@@ -6,8 +6,12 @@
   "false_positives": [
     "This rule could identify benign domains that are formatted similarly to FIN7's command and control algorithm. Alerts should be investigated by an analyst to assess the validity of the individual observations."
   ],
+  "from": "now-9m",
   "index": [
-    "packetbeat-*"
+    "auditbeat-*",
+    "filebeat-*",
+    "packetbeat-*",
+    "logs-endpoint.events.*"
   ],
   "language": "lucene",
   "license": "Elastic License v2",
@@ -24,7 +28,8 @@
     "Elastic",
     "Network",
     "Threat Detection",
-    "Command and Control"
+    "Command and Control",
+    "Host"
   ],
   "threat": [
     {
@@ -57,5 +62,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 5
+  "version": 6
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_halfbaked_beacon.json

@@ -6,8 +6,12 @@
   "false_positives": [
     "This rule should be tailored to exclude systems, either as sources or destinations, in which this behavior is expected."
   ],
+  "from": "now-9m",
   "index": [
-    "packetbeat-*"
+    "auditbeat-*",
+    "filebeat-*",
+    "packetbeat-*",
+    "logs-endpoint.events.*"
   ],
   "language": "lucene",
   "license": "Elastic License v2",
@@ -25,7 +29,8 @@
     "Elastic",
     "Network",
     "Threat Detection",
-    "Command and Control"
+    "Command and Control",
+    "Host"
   ],
   "threat": [
     {
@@ -58,5 +63,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 5
+  "version": 6
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_nat_traversal_port_activity.json

@@ -8,6 +8,7 @@
   ],
   "from": "now-9m",
   "index": [
+    "auditbeat-*",
     "filebeat-*",
     "packetbeat-*",
     "logs-endpoint.events.*"
@@ -24,7 +25,8 @@
     "Host",
     "Network",
     "Threat Detection",
-    "Command and Control"
+    "Command and Control",
+    "Host"
   ],
   "threat": [
     {
@@ -39,5 +41,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 7
+  "version": 8
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_port_26_activity.json

@@ -8,6 +8,7 @@
   ],
   "from": "now-9m",
   "index": [
+    "auditbeat-*",
     "filebeat-*",
     "packetbeat-*",
     "logs-endpoint.events.*"
@@ -28,7 +29,8 @@
     "Host",
     "Network",
     "Threat Detection",
-    "Command and Control"
+    "Command and Control",
+    "Host"
   ],
   "threat": [
     {
@@ -58,5 +60,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 7
+  "version": 8
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_rdp_remote_desktop_protocol_from_the_internet.json

@@ -8,6 +8,7 @@
   ],
   "from": "now-9m",
   "index": [
+    "auditbeat-*",
     "filebeat-*",
     "packetbeat-*",
     "logs-endpoint.events.*"
@@ -27,7 +28,8 @@
     "Host",
     "Network",
     "Threat Detection",
-    "Command and Control"
+    "Command and Control",
+    "Host"
   ],
   "threat": [
     {
@@ -72,5 +74,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 9
+  "version": 10
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_telnet_port_activity.json

@@ -8,6 +8,7 @@
   ],
   "from": "now-9m",
   "index": [
+    "auditbeat-*",
     "filebeat-*",
     "packetbeat-*",
     "logs-endpoint.events.*"
@@ -24,7 +25,8 @@
     "Host",
     "Network",
     "Threat Detection",
-    "Command and Control"
+    "Command and Control",
+    "Host"
   ],
   "threat": [
     {
@@ -69,5 +71,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 7
+  "version": 8
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_vnc_virtual_network_computing_from_the_internet.json

@@ -8,6 +8,7 @@
   ],
   "from": "now-9m",
   "index": [
+    "auditbeat-*",
     "filebeat-*",
     "packetbeat-*",
     "logs-endpoint.events.*"
@@ -27,7 +28,8 @@
     "Host",
     "Network",
     "Threat Detection",
-    "Command and Control"
+    "Command and Control",
+    "Host"
   ],
   "threat": [
     {
@@ -63,5 +65,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 9
+  "version": 10
 }