[SIEM] version 7.7 rule import

x-pack/legacy/plugins/siem/cypress/objects/rule.ts

@@ -4,7 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-export const totalNumberOfPrebuiltRules = 92;
+export const totalNumberOfPrebuiltRules = 130;
 
 interface Mitre {
   tactic: string;

x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.ts

@@ -52,7 +52,7 @@ import { hasListsFeature } from '../../feature_flags';
  *  - immutable is forbidden but defaults to true instead of to false and it can only ever be true
  *  - enabled defaults to false instead of true
  *  - version is a required field that must exist
- *  - index is a required field that must exist
+ *  - index is a required field that must exist if type !== machine_learning
  */
 export const addPrepackagedRulesSchema = Joi.object({
   actions: actions.default([]),
@@ -71,7 +71,11 @@ export const addPrepackagedRulesSchema = Joi.object({
     .forbidden()
     .default(true)
     .valid(true),
-  index: index.required(),
+  index: index.when('type', {
+    is: 'machine_learning',
+    then: Joi.forbidden(),
+    otherwise: Joi.required(),
+  }),
   interval: interval.default('5m'),
   query: query.when('type', {
     is: 'machine_learning',

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json

@@ -7,7 +7,6 @@
     "apm-*-transaction*"
   ],
   "language": "kuery",
-  "max_signals": 100,
   "name": "Web Application Suspicious Activity: POST Request Declined",
   "query": "http.response.status_code:403 and http.request.method:post",
   "references": [
@@ -17,9 +16,9 @@
   "rule_id": "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e",
   "severity": "medium",
   "tags": [
-    "Elastic",
-    "APM"
+    "APM",
+    "Elastic"
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json

@@ -7,7 +7,6 @@
     "apm-*-transaction*"
   ],
   "language": "kuery",
-  "max_signals": 100,
   "name": "Web Application Suspicious Activity: Unauthorized Method",
   "query": "http.response.status_code:405",
   "references": [
@@ -17,9 +16,9 @@
   "rule_id": "75ee75d8-c180-481c-ba88-ee50129a6aef",
   "severity": "medium",
   "tags": [
-    "Elastic",
-    "APM"
+    "APM",
+    "Elastic"
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_adversary_behavior_detected.json

@@ -6,7 +6,6 @@
   ],
   "interval": "10m",
   "language": "kuery",
-  "max_signals": 100,
   "name": "Adversary Behavior - Detected - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:rules_engine_event",
   "risk_score": 47,
@@ -18,4 +17,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_detected.json

@@ -6,7 +6,6 @@
   ],
   "interval": "10m",
   "language": "kuery",
-  "max_signals": 100,
   "name": "Credential Dumping - Detected - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:cred_theft_event and endgame.metadata.type:detection",
   "risk_score": 73,
@@ -18,4 +17,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_prevented.json

@@ -6,7 +6,6 @@
   ],
   "interval": "10m",
   "language": "kuery",
-  "max_signals": 100,
   "name": "Credential Dumping - Prevented - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:cred_theft_event and endgame.metadata.type:prevention",
   "risk_score": 47,
@@ -18,4 +17,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_detected.json

@@ -6,7 +6,6 @@
   ],
   "interval": "10m",
   "language": "kuery",
-  "max_signals": 100,
   "name": "Credential Manipulation - Detected - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:token_manipulation_event and endgame.metadata.type:detection",
   "risk_score": 73,
@@ -18,4 +17,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_prevented.json

@@ -6,7 +6,6 @@
   ],
   "interval": "10m",
   "language": "kuery",
-  "max_signals": 100,
   "name": "Credential Manipulation - Prevented - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:token_manipulation_event and endgame.metadata.type:prevention",
   "risk_score": 47,
@@ -18,4 +17,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_detected.json

@@ -6,7 +6,6 @@
   ],
   "interval": "10m",
   "language": "kuery",
-  "max_signals": 100,
   "name": "Exploit - Detected - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:exploit_event and endgame.metadata.type:detection",
   "risk_score": 73,
@@ -18,4 +17,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_prevented.json

@@ -6,7 +6,6 @@
   ],
   "interval": "10m",
   "language": "kuery",
-  "max_signals": 100,
   "name": "Exploit - Prevented - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:exploit_event and endgame.metadata.type:prevention",
   "risk_score": 47,
@@ -18,4 +17,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_detected.json

@@ -6,7 +6,6 @@
   ],
   "interval": "10m",
   "language": "kuery",
-  "max_signals": 100,
   "name": "Malware - Detected - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:file_classification_event and endgame.metadata.type:detection",
   "risk_score": 99,
@@ -18,4 +17,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_prevented.json

@@ -6,7 +6,6 @@
   ],
   "interval": "10m",
   "language": "kuery",
-  "max_signals": 100,
   "name": "Malware - Prevented - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:file_classification_event and endgame.metadata.type:prevention",
   "risk_score": 73,
@@ -18,4 +17,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_detected.json

@@ -6,7 +6,6 @@
   ],
   "interval": "10m",
   "language": "kuery",
-  "max_signals": 100,
   "name": "Permission Theft - Detected - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:token_protection_event and endgame.metadata.type:detection",
   "risk_score": 73,
@@ -18,4 +17,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_prevented.json

@@ -6,7 +6,6 @@
   ],
   "interval": "10m",
   "language": "kuery",
-  "max_signals": 100,
   "name": "Permission Theft - Prevented - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:token_protection_event and endgame.metadata.type:prevention",
   "risk_score": 47,
@@ -18,4 +17,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_detected.json

@@ -6,7 +6,6 @@
   ],
   "interval": "10m",
   "language": "kuery",
-  "max_signals": 100,
   "name": "Process Injection - Detected - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:kernel_shellcode_event and endgame.metadata.type:detection",
   "risk_score": 73,
@@ -18,4 +17,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_prevented.json

@@ -6,7 +6,6 @@
   ],
   "interval": "10m",
   "language": "kuery",
-  "max_signals": 100,
   "name": "Process Injection - Prevented - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:kernel_shellcode_event and endgame.metadata.type:prevention",
   "risk_score": 47,
@@ -18,4 +17,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_detected.json

@@ -6,7 +6,6 @@
   ],
   "interval": "10m",
   "language": "kuery",
-  "max_signals": 100,
   "name": "Ransomware - Detected - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:ransomware_event and endgame.metadata.type:detection",
   "risk_score": 99,
@@ -18,4 +17,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_prevented.json

@@ -6,7 +6,6 @@
   ],
   "interval": "10m",
   "language": "kuery",
-  "max_signals": 100,
   "name": "Ransomware - Prevented - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:ransomware_event and endgame.metadata.type:prevention",
   "risk_score": 73,
@@ -18,4 +17,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json

@@ -4,9 +4,8 @@
     "winlogbeat-*"
   ],
   "language": "kuery",
-  "max_signals": 100,
   "name": "Adding Hidden File Attribute via Attrib",
-  "query": "    event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"attrib.exe\" and process.args:\"+h\"",
+  "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:attrib.exe and process.args:+h",
   "risk_score": 21,
   "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db",
   "severity": "low",
@@ -48,4 +47,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json

@@ -4,7 +4,6 @@
     "winlogbeat-*"
   ],
   "language": "kuery",
-  "max_signals": 100,
   "name": "Adobe Hijack Persistence",
   "query": "file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and event.action:\"File created (rule: FileCreate)\" and not process.name:msiexec.exe",
   "risk_score": 21,
@@ -33,4 +32,4 @@
   ],
   "type": "query",
   "version": 2
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json

@@ -4,9 +4,8 @@
     "winlogbeat-*"
   ],
   "language": "kuery",
-  "max_signals": 100,
   "name": "Clearing Windows Event Logs",
-  "query": "event.action:\"Process Create (rule: ProcessCreate)\" and (process.name:\"wevtutil.exe\" and process.args:\"cl\") or (process.name:\"powershell.exe\" and process.args:\"Clear-EventLog\")",
+  "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:wevtutil.exe and process.args:cl or process.name:powershell.exe and process.args:Clear-EventLog",
   "risk_score": 21,
   "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61",
   "severity": "low",
@@ -33,4 +32,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json

@@ -4,9 +4,8 @@
     "winlogbeat-*"
   ],
   "language": "kuery",
-  "max_signals": 100,
   "name": "Delete Volume USN Journal with Fsutil",
-  "query": "event.action:\"Process Create (rule: ProcessCreate)\"  and   process.name:\"fsutil.exe\" and    process.args:(\"usn\" and \"deletejournal\")",
+  "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:fsutil.exe and process.args:(deletejournal and usn)",
   "risk_score": 21,
   "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92",
   "severity": "low",
@@ -33,4 +32,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json

@@ -4,9 +4,8 @@
     "winlogbeat-*"
   ],
   "language": "kuery",
-  "max_signals": 100,
   "name": "Deleting Backup Catalogs with Wbadmin",
-  "query": "event.action:\"Process Create (rule: ProcessCreate)\"  and process.name:\"wbadmin.exe\" and  process.args:(\"delete\" and \"catalog\")",
+  "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:wbadmin.exe and process.args:(catalog and delete)",
   "risk_score": 21,
   "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59",
   "severity": "low",
@@ -33,4 +32,4 @@
   ],
   "type": "query",
   "version": 1
-}
+}