[SIEM][Detection Engine] pre-packaged rule changes and addition of on…

…e new rule ## Summary pre-packaged rule changes and addition of one new rule ### Checklist Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR. ~~- [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~~ ~~- [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)~~ ~~- [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~~ ~~- [ ] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios~~ ~~- [ ] This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~~ ### For maintainers ~~- [ ] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~ ~~- [ ] This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~
elastic · Jan 10, 2020 · 68883c6 · 68883c6
1 parent 7eb88c4
commit 68883c6
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 2 deletions.
diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts
@@ -283,6 +283,7 @@ import rule273 from './splunk_detect_use_of_cmdexe_to_launch_script_interpreters
 import rule274 from './splunk_child_processes_of_spoolsvexe.json';
 import rule275 from './splunk_detect_psexec_with_accepteula_flag.json';
 import rule276 from './splunk_processes_created_by_netsh.json';
+import rule277 from './process_execution_via_wmi.json';
 
 export const rawRules = [
   rule1,
@@ -561,4 +562,5 @@ export const rawRules = [
   rule274,
   rule275,
   rule276,
+  rule277,
 ];
diff --git a/.../prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json b/.../prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json
@@ -9,7 +9,7 @@
   "type": "query",
   "from": "now-6m",
   "to": "now",
-  "query": "(destination.port:6665 or destination.port:6666 or destination.port:6667 or destination.port:6668 or destination.port:6669) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16",
+  "query": "(destination.port:20 or destination.port:21) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16",
   "language": "kuery",
   "filters": [],
   "enabled": false,

diff --git a/...engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json b/...engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json
@@ -9,7 +9,7 @@
   "type": "query",
   "from": "now-6m",
   "to": "now",
-  "query": "destination.port:3389 and not source.ip:10.0.0.0/8 and not source.ip:172.16.0.0/12 and not source.ip:192.168.0.0/16",
+  "query": "(destination.port:8080 or destination.port:3128) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16",
   "language": "kuery",
   "filters": [],
   "enabled": false,

diff --git a/...s/siem/server/lib/detection_engine/rules/prepackaged_rules/process_execution_via_wmi.json b/...s/siem/server/lib/detection_engine/rules/prepackaged_rules/process_execution_via_wmi.json
@@ -0,0 +1,17 @@
+{
+  "rule_id": "14ba7cd9-1489-459b-99a4-153c7a3f9abb",
+  "risk_score": 50,
+  "description": "Process Execution via WMI",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Process Execution via WMI",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "process.name:scrcons.exe",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}