[7.x] [SIEM][Detection Engine] critical blocker for updated rules (#56245)

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts

@@ -69,57 +69,56 @@ import rule59 from './linux_nping_activity.json';
 import rule60 from './linux_process_started_in_temp_directory.json';
 import rule61 from './linux_shell_activity_by_web_server.json';
 import rule62 from './linux_socat_activity.json';
-import rule63 from './linux_ssh_forwarding.json';
-import rule64 from './linux_strace_activity.json';
-import rule65 from './linux_tcpdump_activity.json';
-import rule66 from './linux_whoami_commmand.json';
-import rule67 from './network_dns_directly_to_the_internet.json';
-import rule68 from './network_ftp_file_transfer_protocol_activity_to_the_internet.json';
-import rule69 from './network_irc_internet_relay_chat_protocol_activity_to_the_internet.json';
-import rule70 from './network_nat_traversal_port_activity.json';
-import rule71 from './network_port_26_activity.json';
-import rule72 from './network_port_8000_activity_to_the_internet.json';
-import rule73 from './network_pptp_point_to_point_tunneling_protocol_activity.json';
-import rule74 from './network_proxy_port_activity_to_the_internet.json';
-import rule75 from './network_rdp_remote_desktop_protocol_from_the_internet.json';
-import rule76 from './network_rdp_remote_desktop_protocol_to_the_internet.json';
-import rule77 from './network_rpc_remote_procedure_call_from_the_internet.json';
-import rule78 from './network_rpc_remote_procedure_call_to_the_internet.json';
-import rule79 from './network_smb_windows_file_sharing_activity_to_the_internet.json';
-import rule80 from './network_smtp_to_the_internet.json';
-import rule81 from './network_sql_server_port_activity_to_the_internet.json';
-import rule82 from './network_ssh_secure_shell_from_the_internet.json';
-import rule83 from './network_ssh_secure_shell_to_the_internet.json';
-import rule84 from './network_telnet_port_activity.json';
-import rule85 from './network_tor_activity_to_the_internet.json';
-import rule86 from './network_vnc_virtual_network_computing_from_the_internet.json';
-import rule87 from './network_vnc_virtual_network_computing_to_the_internet.json';
-import rule88 from './null_user_agent.json';
-import rule89 from './sqlmap_user_agent.json';
-import rule90 from './windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json';
-import rule91 from './windows_certutil_connecting_to_the_internet.json';
-import rule92 from './windows_command_prompt_connecting_to_the_internet.json';
-import rule93 from './windows_command_shell_started_by_internet_explorer.json';
-import rule94 from './windows_command_shell_started_by_powershell.json';
-import rule95 from './windows_command_shell_started_by_svchost.json';
-import rule96 from './windows_defense_evasion_via_filter_manager.json';
-import rule97 from './windows_execution_via_compiled_html_file.json';
-import rule98 from './windows_execution_via_connection_manager.json';
-import rule99 from './windows_execution_via_net_com_assemblies.json';
-import rule100 from './windows_execution_via_regsvr32.json';
-import rule101 from './windows_execution_via_trusted_developer_utilities.json';
-import rule102 from './windows_html_help_executable_program_connecting_to_the_internet.json';
-import rule103 from './windows_misc_lolbin_connecting_to_the_internet.json';
-import rule104 from './windows_net_command_activity_by_the_system_account.json';
-import rule105 from './windows_persistence_via_application_shimming.json';
-import rule106 from './windows_priv_escalation_via_accessibility_features.json';
-import rule107 from './windows_process_discovery_via_tasklist_command.json';
-import rule108 from './windows_process_execution_via_wmi.json';
-import rule109 from './windows_register_server_program_connecting_to_the_internet.json';
-import rule110 from './windows_signed_binary_proxy_execution.json';
-import rule111 from './windows_signed_binary_proxy_execution_download.json';
-import rule112 from './windows_suspicious_process_started_by_a_script.json';
-import rule113 from './windows_whoami_command_activity.json';
+import rule63 from './linux_strace_activity.json';
+import rule64 from './linux_tcpdump_activity.json';
+import rule65 from './linux_whoami_commmand.json';
+import rule66 from './network_dns_directly_to_the_internet.json';
+import rule67 from './network_ftp_file_transfer_protocol_activity_to_the_internet.json';
+import rule68 from './network_irc_internet_relay_chat_protocol_activity_to_the_internet.json';
+import rule69 from './network_nat_traversal_port_activity.json';
+import rule70 from './network_port_26_activity.json';
+import rule71 from './network_port_8000_activity_to_the_internet.json';
+import rule72 from './network_pptp_point_to_point_tunneling_protocol_activity.json';
+import rule73 from './network_proxy_port_activity_to_the_internet.json';
+import rule74 from './network_rdp_remote_desktop_protocol_from_the_internet.json';
+import rule75 from './network_rdp_remote_desktop_protocol_to_the_internet.json';
+import rule76 from './network_rpc_remote_procedure_call_from_the_internet.json';
+import rule77 from './network_rpc_remote_procedure_call_to_the_internet.json';
+import rule78 from './network_smb_windows_file_sharing_activity_to_the_internet.json';
+import rule79 from './network_smtp_to_the_internet.json';
+import rule80 from './network_sql_server_port_activity_to_the_internet.json';
+import rule81 from './network_ssh_secure_shell_from_the_internet.json';
+import rule82 from './network_ssh_secure_shell_to_the_internet.json';
+import rule83 from './network_telnet_port_activity.json';
+import rule84 from './network_tor_activity_to_the_internet.json';
+import rule85 from './network_vnc_virtual_network_computing_from_the_internet.json';
+import rule86 from './network_vnc_virtual_network_computing_to_the_internet.json';
+import rule87 from './null_user_agent.json';
+import rule88 from './sqlmap_user_agent.json';
+import rule89 from './windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json';
+import rule90 from './windows_certutil_connecting_to_the_internet.json';
+import rule91 from './windows_command_prompt_connecting_to_the_internet.json';
+import rule92 from './windows_command_shell_started_by_internet_explorer.json';
+import rule93 from './windows_command_shell_started_by_powershell.json';
+import rule94 from './windows_command_shell_started_by_svchost.json';
+import rule95 from './windows_defense_evasion_via_filter_manager.json';
+import rule96 from './windows_execution_via_compiled_html_file.json';
+import rule97 from './windows_execution_via_connection_manager.json';
+import rule98 from './windows_execution_via_net_com_assemblies.json';
+import rule99 from './windows_execution_via_regsvr32.json';
+import rule100 from './windows_execution_via_trusted_developer_utilities.json';
+import rule101 from './windows_html_help_executable_program_connecting_to_the_internet.json';
+import rule102 from './windows_misc_lolbin_connecting_to_the_internet.json';
+import rule103 from './windows_net_command_activity_by_the_system_account.json';
+import rule104 from './windows_persistence_via_application_shimming.json';
+import rule105 from './windows_priv_escalation_via_accessibility_features.json';
+import rule106 from './windows_process_discovery_via_tasklist_command.json';
+import rule107 from './windows_process_execution_via_wmi.json';
+import rule108 from './windows_register_server_program_connecting_to_the_internet.json';
+import rule109 from './windows_signed_binary_proxy_execution.json';
+import rule110 from './windows_signed_binary_proxy_execution_download.json';
+import rule111 from './windows_suspicious_process_started_by_a_script.json';
+import rule112 from './windows_whoami_command_activity.json';
 export const rawRules = [
  rule1,
  rule2,
@@ -233,5 +232,4 @@ export const rawRules = [
  rule110,
  rule111,
  rule112,
- rule113,
 ];

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json

@@ -32,7 +32,7 @@
  {
  "id": "T1100",
  "name": "Web Shell",
- "reference": "https://attack.mitre.org/techniques/T1215/"
+ "reference": "https://attack.mitre.org/techniques/T1100/"
  }
  ]
  }

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json

@@ -1,5 +1,5 @@
 {
- "description": "Strace runs in a privileged context and can be used to escape restrictive environments by instantiating a shell in order to elevate privlieges or move laterally.",
+ "description": "Strace runs in a privileged context and can be used to escape restrictive environments by instantiating a shell in order to elevate privileges or move laterally.",
  "false_positives": [
  "Strace is a dual-use tool that can be used for benign or malicious activity. Some normal use of this command may originate from developers or SREs engaged in debugging or system call tracing."
  ],

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json

@@ -49,7 +49,7 @@
  },
  "technique": [
  {
- "id": "T1043",
+ "id": "T1048",
  "name": "Exfiltration Over Alternative Protocol",
  "reference": "https://attack.mitre.org/techniques/T1048/"
  }

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json

@@ -45,7 +45,7 @@
  },
  "technique": [
  {
- "id": "T1190",
+ "id": "T1021",
  "name": "Remote Services",
  "reference": "https://attack.mitre.org/techniques/T1021/"
  }

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json

@@ -29,7 +29,7 @@
  {
  "id": "T1190",
  "name": "Exploit Public-Facing Application",
- "reference": "https://attack.mitre.org/techniques/T1043/"
+ "reference": "https://attack.mitre.org/techniques/T1190/"
  }
  ]
  }

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json

@@ -42,7 +42,7 @@
  },
  "technique": [
  {
- "id": "T1043",
+ "id": "T1048",
  "name": "Exfiltration Over Alternative Protocol",
  "reference": "https://attack.mitre.org/techniques/T1048/"
  }

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json

@@ -1,7 +1,7 @@
 {
  "description": "A request to a web application server contained no identifying user agent string.",
  "false_positives": [
- "Some normal applications and scripts may contain no user agent. Most legitmate web requests from the Internet contain a user agent string. Requests from web browsers almost always contain a user agent string. If the source is unexpected, or the user is unauthorized, or the request is unusual, these may be suspicious or malicious activity."
+ "Some normal applications and scripts may contain no user agent. Most legitimate web requests from the Internet contain a user agent string. Requests from web browsers almost always contain a user agent string. If the source is unexpected, or the user is unauthorized, or the request is unusual, these may be suspicious or malicious activity."
  ],
  "filters": [
  {

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json

@@ -1,7 +1,7 @@
 {
  "description": "This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11 which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities. ",
  "false_positives": [
- "This signal does not indicate that a SQL injection attack occured, only that the sqlmap tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity."
+ "This signal does not indicate that a SQL injection attack occurred, only that the sqlmap tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity."
  ],
  "index": [
  "apm-*-transaction*"