[Detection-rules] Add updates for 0.14.1 package (#1016) (#1020)

* [Detection-rules] Add updates for 0.14.1 package

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-anomalous-kernel-module-activity.asciidoc

@@ -0,0 +1,52 @@
+[[prebuilt-rule-0-14-1-anomalous-kernel-module-activity]]
+=== Anomalous Kernel Module Activity
+
+Looks for unusual kernel module activity. Kernel modules are sometimes used by malware and persistence mechanisms for stealth.
+
+*Rule type*: machine_learning
+
+*Rule indices*: None
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 15m
+
+*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*: None
+
+*Tags*: 
+
+* Elastic
+* Host
+* Linux
+* Threat Detection
+* ML
+
+*Version*: 4
+
+*Rule authors*: 
+
+* Elastic
+
+*Rule license*: Elastic License v2
+
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Persistence
+** ID: TA0003
+** Reference URL: https://attack.mitre.org/tactics/TA0003/
+* Technique:
+** Name: Boot or Logon Autostart Execution
+** ID: T1547
+** Reference URL: https://attack.mitre.org/techniques/T1547/
+* Sub-technique:
+** Name: Kernel Modules and Extensions
+** ID: T1547.006
+** Reference URL: https://attack.mitre.org/techniques/T1547/006/

docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-anomalous-linux-compiler-activity.asciidoc

@@ -0,0 +1,37 @@
+[[prebuilt-rule-0-14-1-anomalous-linux-compiler-activity]]
+=== Anomalous Linux Compiler Activity
+
+Looks for compiler activity by a user context which does not normally run compilers. This can be the result of ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run exploits or malware activity.
+
+*Rule type*: machine_learning
+
+*Rule indices*: None
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 15m
+
+*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*: None
+
+*Tags*: 
+
+* Elastic
+* Host
+* Linux
+* Threat Detection
+* ML
+
+*Version*: 3
+
+*Rule authors*: 
+
+* Elastic
+
+*Rule license*: Elastic License v2
+

docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-anomalous-process-for-a-linux-population.asciidoc

@@ -0,0 +1,53 @@
+[[prebuilt-rule-0-14-1-anomalous-process-for-a-linux-population]]
+=== Anomalous Process For a Linux Population
+
+Searches for rare processes running on multiple Linux hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.
+
+*Rule type*: machine_learning
+
+*Rule indices*: None
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 15m
+
+*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*: 
+
+* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html
+
+*Tags*: 
+
+* Elastic
+* Host
+* Linux
+* Threat Detection
+* ML
+
+*Version*: 7
+
+*Rule authors*: 
+
+* Elastic
+
+*Rule license*: Elastic License v2
+
+
+==== Investigation guide
+
+
+[source, markdown]
+----------------------------------
+## Triage and analysis
+
+### Investigating an Unusual Linux Process
+Detection alerts from this rule indicate the presence of a Linux process that is rare and unusual for all of the monitored Linux hosts for which Auditbeat data is available. Here are some possible avenues of investigation:
+- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?
+- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.
+- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.
+----------------------------------

docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-anomalous-process-for-a-windows-population.asciidoc

@@ -0,0 +1,56 @@
+[[prebuilt-rule-0-14-1-anomalous-process-for-a-windows-population]]
+=== Anomalous Process For a Windows Population
+
+Searches for rare processes running on multiple hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.
+
+*Rule type*: machine_learning
+
+*Rule indices*: None
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 15m
+
+*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*: 
+
+* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html
+
+*Tags*: 
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* ML
+
+*Version*: 7
+
+*Rule authors*: 
+
+* Elastic
+
+*Rule license*: Elastic License v2
+
+
+==== Investigation guide
+
+
+[source, markdown]
+----------------------------------
+## Triage and analysis
+
+### Investigating an Unusual Windows Process
+Detection alerts from this rule indicate the presence of a Windows process that is rare and unusual for all of the Windows hosts for which Winlogbeat data is available. Here are some possible avenues of investigation:
+- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?
+- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.
+- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package.
+- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.
+- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.
+- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. 
+----------------------------------

docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-application-added-to-google-workspace-domain.asciidoc

@@ -0,0 +1,71 @@
+[[prebuilt-rule-0-14-1-application-added-to-google-workspace-domain]]
+=== Application Added to Google Workspace Domain
+
+Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization’s Google Workspace domain in order to maintain a presence in their target’s organization and steal data.
+
+*Rule type*: query
+
+*Rule indices*: 
+
+* filebeat-*
+* logs-google_workspace*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 10m
+
+*Searches indices from*: now-130m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*: 
+
+* https://support.google.com/a/answer/6328701?hl=en#
+
+*Tags*: 
+
+* Elastic
+* Cloud
+* Google Workspace
+* Continuous Monitoring
+* SecOps
+* Configuration Audit
+
+*Version*: 5
+
+*Rule authors*: 
+
+* Elastic
+
+*Rule license*: Elastic License v2
+
+
+==== Investigation guide
+
+
+[source, markdown]
+----------------------------------
+## Config
+
+The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+
+### Important Information Regarding Google Workspace Event Lag Times
+- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
+- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
+- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
+- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
+- See the following references for further information:
+  - https://support.google.com/a/answer/7061566
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html
+----------------------------------
+
+==== Rule query
+
+
+[source, js]
+----------------------------------
+event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION
+
+----------------------------------

docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-aws-ec2-full-network-packet-capture-detected.asciidoc

@@ -0,0 +1,85 @@
+[[prebuilt-rule-0-14-1-aws-ec2-full-network-packet-capture-detected]]
+=== AWS EC2 Full Network Packet Capture Detected
+
+Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic.
+
+*Rule type*: query
+
+*Rule indices*: 
+
+* filebeat-*
+* logs-aws*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 10m
+
+*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*: 
+
+* https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TrafficMirrorFilter.html
+* https://github.com/easttimor/aws-incident-response
+
+*Tags*: 
+
+* Elastic
+* Cloud
+* AWS
+* Continuous Monitoring
+* SecOps
+* Network Security
+
+*Version*: 2
+
+*Rule authors*: 
+
+* Elastic
+* Austin Songer
+
+*Rule license*: Elastic License v2
+
+
+==== Investigation guide
+
+
+[source, markdown]
+----------------------------------
+## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+----------------------------------
+
+==== Rule query
+
+
+[source, js]
+----------------------------------
+event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and 
+event.action:(CreateTrafficMirrorFilter or CreateTrafficMirrorFilterRule or CreateTrafficMirrorSession or CreateTrafficMirrorTarget) and 
+event.outcome:success
+
+----------------------------------
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Exfiltration
+** ID: TA0010
+** Reference URL: https://attack.mitre.org/tactics/TA0010/
+* Technique:
+** Name: Automated Exfiltration
+** ID: T1020
+** Reference URL: https://attack.mitre.org/techniques/T1020/
+* Tactic:
+** Name: Collection
+** ID: TA0009
+** Reference URL: https://attack.mitre.org/tactics/TA0009/
+* Technique:
+** Name: Data Staged
+** ID: T1074
+** Reference URL: https://attack.mitre.org/techniques/T1074/