[SIEM][Detection Engine] Added 10 more rules for prepackaging

## Summary

* Added 10 more rules for prepackaging

### Checklist

Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR.

~~- [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~~

~~- [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)~~

~~- [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~~

~~- [ ] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios~~

~~- [ ] This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~~

### For maintainers

~~- [ ] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~

- [x] This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts

@@ -273,6 +273,16 @@ import rule263 from './windows_mimikatz_activity.json';
 import rule264 from './suricata_nonssh_traffic_on_port_22.json';
 import rule265 from './windows_data_compression_using_powershell.json';
 import rule266 from './windows_nmap_scan_activity.json';
+import rule267 from './splunk_windows_event_log_cleared.json';
+import rule268 from './splunk_detect_long_dns_txt_record_response.json';
+import rule269 from './splunk_processes_launching_netsh.json';
+import rule270 from './splunk_detect_large_outbound_icmp_packets.json';
+import rule271 from './splunk_detect_new_local_admin_account.json';
+import rule272 from './splunk_protocols_passing_authentication_in_cleartext.json';
+import rule273 from './splunk_detect_use_of_cmdexe_to_launch_script_interpreters.json';
+import rule274 from './splunk_child_processes_of_spoolsvexe.json';
+import rule275 from './splunk_detect_psexec_with_accepteula_flag.json';
+import rule276 from './splunk_processes_created_by_netsh.json';
 
 export const rawRules = [
   rule1,
@@ -541,4 +551,14 @@ export const rawRules = [
   rule264,
   rule265,
   rule266,
+  rule267,
+  rule268,
+  rule269,
+  rule270,
+  rule271,
+  rule272,
+  rule273,
+  rule274,
+  rule275,
+  rule276,
 ];

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_child_processes_of_spoolsvexe.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "2f026c73-bb63-455e-abdf-f11f463acf0d",
+  "risk_score": 50,
+  "description": "Splunk - Child Processes of Spoolsv.exe",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Splunk - Child Processes of Spoolsv.exe",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "process.parent.name:spoolsv.exe and not process.name:regsvr32.exe ",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_large_outbound_icmp_packets.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "e108c0c6-5ee8-47a0-8c23-ec47ba3a9b00",
+  "risk_score": 50,
+  "description": "Splunk - Detect Large Outbound ICMP Packets",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Splunk - Detect Large Outbound ICMP Packets",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "network.transport:icmp and network.bytes>1000 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_long_dns_txt_record_response.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "2cdf84be-1c9c-4184-9880-75b9a6ddeaba",
+  "risk_score": 50,
+  "description": "Splunk - Detect Long DNS TXT Record Response",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Splunk - Detect Long DNS TXT Record Response",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "network.protocol:dns and server.bytes>100 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16 and not destination.ip:169.254.169.254 and not destination.ip:127.0.0.53",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_new_local_admin_account.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "030fc8e4-2c5f-4cc9-a6bd-2b6b7b98ae16",
+  "risk_score": 50,
+  "description": "Splunk - Detect New Local Admin account",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Splunk - Detect New Local Admin account",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.code:(4720 or 4732) and winlog.event_data.TargetUserName:Administrators",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_psexec_with_accepteula_flag.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "4b63cf13-9043-41e3-84ec-6e39eb0d407e",
+  "risk_score": 50,
+  "description": "Splunk - Detect PsExec With accepteula Flag",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Splunk - Detect PsExec With accepteula Flag",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "process.name:PsExec.exe and process.args:\"-accepteula\"",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_use_of_cmdexe_to_launch_script_interpreters.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "f4388e4c-ec3d-41b3-be5c-27c11f61473c",
+  "risk_score": 50,
+  "description": "Splunk - Detect Use of cmd.exe to Launch Script Interpreters",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Splunk - Detect Use of cmd.exe to Launch Script Interpreters",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"wscript.exe\" or \"cscript.exe\") and process.parent.name:\"cmd.exe\"",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_created_by_netsh.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "ce7a0bde-7406-4729-a075-a215f4571ff6",
+  "risk_score": 50,
+  "description": "Splunk - Processes created by netsh",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Splunk - Processes created by netsh",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "process.parent.name:netsh.exe",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_launching_netsh.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "600dba95-f1c6-4a4d-aae1-c79cbd8a5ddd",
+  "risk_score": 50,
+  "description": "Splunk - Processes launching netsh",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Splunk - Processes launching netsh",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "process.name:netsh.exe and event.action:\"Process Create (rule: ProcessCreate)\" ",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_protocols_passing_authentication_in_cleartext.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "f4442e7f-856a-4a4a-851b-c1f9b97b0d39",
+  "risk_score": 50,
+  "description": "Splunk - Protocols passing authentication in cleartext",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Splunk - Protocols passing authentication in cleartext",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "destination.port:(21 or 23 or 110 or 143) and network.transport:tcp",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_windows_event_log_cleared.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "c0747553-4652-4e74-bc86-898f2daa2bde",
+  "risk_score": 50,
+  "description": "Splunk - Windows Event Log Cleared",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Splunk - Windows Event Log Cleared",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.code:(1102 or 1100)",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}