[SIEM][Detection Engine] Adds 77 more pre-packaged rules and another unit test for it

## Summary

* Adds more prepackaged rules and another unit test

### Checklist

Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR.

~~- [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~~

~~- [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)~~

~~- [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~~

- [x] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios

~~- [ ] This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~~

### For maintainers

~~- [ ] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~

- [x] This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db",
+  "risk_score": 50,
+  "description": "EQL - Adding the Hidden File Attribute with via attrib.exe",
+  "immutable": true,
+  "interval": "5m",
+  "name": "EQL - Adding the Hidden File Attribute with via attrib.exe",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "    event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"attrib.exe\" and process.args:\"+h\"",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86",
+  "risk_score": 50,
+  "description": "EQL - Adobe Hijack Persistence",
+  "immutable": true,
+  "interval": "5m",
+  "name": "EQL - Adobe Hijack Persistence",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and event.action:\"File created (rule: FileCreate)\" and not process.name:msiexeec.exe",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "b27b9f47-0a20-4807-8377-7f899b4fbada",
+  "risk_score": 50,
+  "description": "EQL - Audio Capture via PowerShell",
+  "immutable": true,
+  "interval": "5m",
+  "name": "EQL - Audio Capture via PowerShell",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"SoundRecorder.exe\" and process.args:\"/FILE\"",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "f8e06892-ed10-4452-892e-2c5a38d552f1",
+  "risk_score": 50,
+  "description": "EQL - Audio Capture via SoundRecorder",
+  "immutable": true,
+  "interval": "5m",
+  "name": "EQL - Audio Capture via SoundRecorder",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"SoundRecorder.exe\" and process.args:\"/FILE\"",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "59547add-a400-4baa-aa0c-66c72efdb77f",
+  "risk_score": 50,
+  "description": "EQL -Bypass UAC Event Viewer",
+  "immutable": true,
+  "interval": "5m",
+  "name": "EQL -Bypass UAC Event Viewer",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "process.parent.name:eventvwr.exe and event.action:\"Process Create (rule: ProcessCreate)\" and not process.executable:(\"C:\\Windows\\System32\\mmc.exe\" or \"C:\\Windows\\SysWOW64\\mmc.exe\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "2f7403da-1a4c-46bb-8ecc-c1a596e10cd0",
+  "risk_score": 50,
+  "description": "EQL - Bypass UAC via CMSTP",
+  "immutable": true,
+  "interval": "5m",
+  "name": "EQL - Bypass UAC via CMSTP",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"cmstp.exe\" and process.parent.args:(\"/s\" and \"/au\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "f68d83a1-24cb-4b8d-825b-e8af400b9670",
+  "risk_score": 50,
+  "description": "EQL -Bypass UAC Via sdclt",
+  "immutable": true,
+  "interval": "5m",
+  "name": "EQL -Bypass UAC Via sdclt",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"sdclt.exe\" and process.args:\"/kickoffelev\" and not process.executable:(\"C:\\Windows\\System32\\sdclt.exe\" or \"C:\\Windows\\System32\\control.exe\" or \"C:\\Windows\\SysWOW64\\sdclt.exe\" or \"C:\\Windows\\SysWOW64\\control.exe\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61",
+  "risk_score": 50,
+  "description": "EQL - Clearing Windows Event Logs",
+  "immutable": true,
+  "interval": "5m",
+  "name": "EQL - Clearing Windows Event Logs",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.action:\"Process Create (rule: ProcessCreate)\" and (process.name:\"wevtutil.exe\" and process.args:\"cl\") or (process.name:\"powershell.exe\" and process.args:\"Clear-EventLog\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92",
+  "risk_score": 50,
+  "description": "EQL - Delete Volume USN Journal with fsutil",
+  "immutable": true,
+  "interval": "5m",
+  "name": "EQL - Delete Volume USN Journal with fsutil",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.action:\"Process Create (rule: ProcessCreate)\"  and   process.name:\"fsutil.exe\" and    process.args:(\"usn\" and \"deletejournal\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59",
+  "risk_score": 50,
+  "description": "EQL - Deleting Backup Catalogs with wbadmin",
+  "immutable": true,
+  "interval": "5m",
+  "name": "EQL - Deleting Backup Catalogs with wbadmin",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.action:\"Process Create (rule: ProcessCreate)\"  and process.name:\"wbadmin.exe\" and  process.args:(\"delete\" and \"catalog\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1",
+  "risk_score": 50,
+  "description": "EQL - Direct Outbound SMB Connection",
+  "immutable": true,
+  "interval": "5m",
+  "name": "EQL - Direct Outbound SMB Connection",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and destination.port:445 and   not process.pid:4 and not destination.ip:(\"127.0.0.1\" or \"::1\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9",
+  "risk_score": 50,
+  "description": "EQL - Disable Windows Firewall Rules with Netsh",
+  "immutable": true,
+  "interval": "5m",
+  "name": "EQL - Disable Windows Firewall Rules with Netsh",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"netsh.exe\" and process.args:(\"firewall\" and \"set\" and \"disable\") or process.args:(\"advfirewall\" and \"state\" and \"off\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "73fbc44c-c3cd-48a8-a473-f4eb2065c716",
+  "risk_score": 50,
+  "description": "EQL - DLL Search Order Hijack",
+  "immutable": true,
+  "interval": "5m",
+  "name": "EQL - DLL Search Order Hijack",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": " event.action:\"File created (rule: FileCreate)\"  and    not winlog.user.identifier:(\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\") and    file.path:(\"C\\Windows\\ehome\\cryptbase.dll\" or               \"C\\Windows\\System32\\Sysprep\\cryptbase.dll\" or               \"C\\Windows\\System32\\Sysprep\\cryptsp.dll\" or               \"C\\Windows\\System32\\Sysprep\\rpcrtremote.dll\" or               \"C\\Windows\\System32\\Sysprep\\uxtheme.dll\" or               \"C\\Windows\\System32\\Sysprep\\dwmapi.dll\" or               \"C\\Windows\\System32\\Sysprep\\shcore.dll\" or               \"C\\Windows\\System32\\Sysprep\\oleacc.dll\" or               \"C\\Windows\\System32\\ntwdblib.dll\") ",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf",
+  "risk_score": 50,
+  "description": "EQL - Encoding or Decoding Files via CertUtil",
+  "immutable": true,
+  "interval": "5m",
+  "name": "EQL - Encoding or Decoding Files via CertUtil",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.action:\"Process Create (rule: ProcessCreate)\" and    process.name:\"certutil.exe\" and    process.args:(\"-encode\" or \"/encode\" or \"-decode\" or \"/decode\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a",
+  "risk_score": 50,
+  "description": "EQL - Local Scheduled Task Commands",
+  "immutable": true,
+  "interval": "5m",
+  "name": "EQL - Local Scheduled Task Commands",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:schtasks.exe and process.args:(\"/create\" or \"-create\" or \"/S\" or \"-s\" or \"/run\" or \"-run\" or \"/change\" or \"-change\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95",
+  "risk_score": 50,
+  "description": "EQL - Local Service Commands",
+  "immutable": true,
+  "interval": "5m",
+  "name": "EQL - Local Service Commands",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.action:\"Process Create (rule: ProcessCreate)\" and  process.name:sc.exe and process.args:(\"create\" or \"config\" or \"failure\" or \"start\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "b9ab2f7f-f719-4417-9599-e0252fffe2d8",
+  "risk_score": 50,
+  "description": "EQL - Modification of Boot Configuration",
+  "immutable": true,
+  "interval": "5m",
+  "name": "EQL - Modification of Boot Configuration",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.action:\"Process Create (rule: ProcessCreate)\" and   process.name:\"bcdedit.exe\" and    process.args:\"set\" and    process.args:(     (\"bootstatuspolicy\" and \"ignoreallfailures\") or      (\"recoveryenabled\" and \"no\")   ) ",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b",
+  "risk_score": 50,
+  "description": "EQL -  MsBuild Making Network Connections",
+  "immutable": true,
+  "interval": "5m",
+  "name": "EQL -  MsBuild Making Network Connections",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:msbuild.exe and not destination.ip:(\"127.0.0.1\" or \"::1\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "a4ec1382-4557-452b-89ba-e413b22ed4b8",
+  "risk_score": 50,
+  "description": "EQL - Mshta Making Network Connections",
+  "immutable": true,
+  "interval": "5m",
+  "name": "EQL - Mshta Making Network Connections",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "  event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:\"mshta.exe\" and not process.name:\"mshta.exe\" and not parent.process.name:\"Microsoft.ConfigurationManagement.exe\"",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "d7351b03-135d-43ba-8b36-cc9b07854525",
+  "risk_score": 50,
+  "description": "EQL - MsXsl Making Network Connections",
+  "immutable": true,
+  "interval": "5m",
+  "name": "EQL - MsXsl Making Network Connections",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "process.name:msxml.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "55d551c6-333b-4665-ab7e-5d14a59715ce",
+  "risk_score": 50,
+  "description": "EQL - PsExec Lateral Movement Command",
+  "immutable": true,
+  "interval": "5m",
+  "name": "EQL - PsExec Lateral Movement Command",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "process.name:psexec.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" ",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f",
+  "risk_score": 50,
+  "description": "EQL - Suspicious MS Office Child Process",
+  "immutable": true,
+  "interval": "5m",
+  "name": "EQL - Suspicious MS Office Child Process",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": " event.action:\"Process Create (rule: ProcessCreate)\" and    process.parent.name:(\"winword.exe\" or \"excel.exe\" or \"powerpnt.exe\" or \"eqnedt32.exe\" or \"fltldr.exe\" or \"mspub.exe\" or \"msaccess.exe\") and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e",
+  "risk_score": 50,
+  "description": "EQL - Suspicious MS Outlook Child Process",
+  "immutable": true,
+  "interval": "5m",
+  "name": "EQL - Suspicious MS Outlook Child Process",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "  event.action:\"Process Create (rule: ProcessCreate)\" and  process.parent.name:\"outlook.exe\" and    process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "afcac7b1-d092-43ff-a136-aa7accbda38f",
+  "risk_score": 50,
+  "description": "EQL - Suspicious PDF Reader Child Process",
+  "immutable": true,
+  "interval": "5m",
+  "name": "EQL - Suspicious PDF Reader Child Process",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"acrord32.exe\" or \"rdrcef.exe\" or \"foxitphantomPDF.exe\" or \"foxitreader.exe\") and    process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd",
+  "risk_score": 50,
+  "description": "EQL - System Shells via Services",
+  "immutable": true,
+  "interval": "5m",
+  "name": "EQL - System Shells via Services",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": " event.action:\"Process Create (rule: ProcessCreate)\" and    process.parent.name:\"services.exe\" and    process.name:(\"cmd.exe\" or \"powershell.exe\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886",
+  "risk_score": 50,
+  "description": "EQL -  Unusual Network Connection via RunDLL32",
+  "immutable": true,
+  "interval": "5m",
+  "name": "EQL -  Unusual Network Connection via RunDLL32",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "process.name:rundll32.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b",
+  "risk_score": 50,
+  "description": "EQL - Unusual Parent-Child Relationship ",
+  "immutable": true,
+  "interval": "5m",
+  "name": "EQL - Unusual Parent-Child Relationship ",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "   event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.executable:* and   (      (process.name:\"smss.exe\" and not process.parent.name:(\"System\" or \"smss.exe\")) or       (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\" or \"svchost.exe\")) or       (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or       (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or       (process.name:\"lsass.exe\" and not process.parent.name:\"wininit.exe\") or       (process.name:\"LogonUI.exe\" and not process.parent.name:(\"winlogon.exe\" or \"wininit.exe\")) or       (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or       (process.name:\"svchost.exe\" and not process.parent.name:(\"services.exe\" or \"MsMpEng.exe\")) or      (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or       (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\" or \"svchost.exe\")) or       (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\" or \"svchost.exe\")) or       (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\" or \"winlogon.exe\"))    )",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "610949a1-312f-4e04-bb55-3a79b8c95267",
+  "risk_score": 50,
+  "description": "EQL -  Unusual Process Network Connection",
+  "immutable": true,
+  "interval": "5m",
+  "name": "EQL -  Unusual Process Network Connection",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:(bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or Microsoft.Workflow.Compiler.exe or odbcconf.exe or rcsi.exe or xwizard.exe)",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b",
+  "risk_score": 50,
+  "description": "EQL - User Account Creation",
+  "immutable": true,
+  "interval": "5m",
+  "name": "EQL - User Account Creation",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"net.exe\" or \"net1.exe\") and not process.parent.name:\"net.exe\" and process.args:(\"user\" and (\"/add\" or \"/ad\")) ",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "4426de6f-6103-44aa-a77e-49d672836c27",
+  "risk_score": 50,
+  "description": "EQL - User Added to Administrator Group",
+  "immutable": true,
+  "interval": "5m",
+  "name": "EQL - User Added to Administrator Group",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"net.exe\" or \"net1.exe\") and not process.parent.name:\"net.exe\" and process.args:(\"group\" and \"admin\" and \"/add\") ",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921",
+  "risk_score": 50,
+  "description": "EQL - Volume Shadow Copy Deletion via VssAdmin",
+  "immutable": true,
+  "interval": "5m",
+  "name": "EQL - Volume Shadow Copy Deletion via VssAdmin",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "  event.action:\"Process Create (rule: ProcessCreate)\"  and process.name:\"vssadmin.exe\" and process.args:(\"delete\" and \"shadows\") ",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57",
+  "risk_score": 50,
+  "description": "EQL - Volume Shadow Copy Deletion via WMIC",
+  "immutable": true,
+  "interval": "5m",
+  "name": "EQL - Volume Shadow Copy Deletion via WMIC",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "  event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wmic.exe\" and process.args:(\"shadowcopy\" and \"delete\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc",
+  "risk_score": 50,
+  "description": "EQL - Windows Script Executing PowerShell",
+  "immutable": true,
+  "interval": "5m",
+  "name": "EQL - Windows Script Executing PowerShell",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"wscript.exe\" or \"cscript.exe\") and process.name:\"powershell.exe\"",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "9616587f-6396-42d0-bd31-ef8dbd806210",
+  "risk_score": 50,
+  "description": "EQL - WMIC Command Lateral Movement",
+  "immutable": true,
+  "interval": "5m",
+  "name": "EQL - WMIC Command Lateral Movement",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "   event.action:\"Process Create (rule: ProcessCreate)\" and  process.name:\"wmic.exe\" and process.args:(\"/node\" or \"-node\") and process.args:(\"call\" or \"set\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts

@@ -7,147 +7,223 @@
 // Auto generated file from scripts/convert_saved_search_rules.js
 // Do not hand edit. Run the script against a set of saved searches instead
 
-import rule1 from './windows_powershell_connecting_to_the_internet.json';
-import rule2 from './windows_net_user_command_activity.json';
-import rule3 from './windows_image_load_from_a_temp_directory.json';
-import rule4 from './network_ssh_secure_shell_to_the_internet.json';
-import rule5 from './suricata_nonhttp_traffic_on_tcp_port_80.json';
-import rule6 from './windows_misc_lolbin_connecting_to_the_internet.json';
-import rule7 from './linux_strace_activity.json';
-import rule8 from './suricata_directory_reversal_characters_in_an_http_request.json';
-import rule9 from './suricata_dns_traffic_on_unusual_udp_port.json';
-import rule10 from './network_telnet_port_activity.json';
-import rule11 from './suricata_directory_traversal_in_downloaded_zip_file.json';
-import rule12 from './windows_execution_via_microsoft_html_application_hta.json';
-import rule13 from './windows_credential_dumping_commands.json';
-import rule14 from './windows_net_command_activity_by_the_system_account.json';
-import rule15 from './windows_register_server_program_connecting_to_the_internet.json';
-import rule16 from './linux_java_process_connecting_to_the_internet.json';
-import rule17 from './suricata_imap_traffic_on_unusual_port_internet_destination.json';
-import rule18 from './suricata_double_encoded_characters_in_a_uri.json';
-import rule19 from './network_tor_activity_to_the_internet.json';
-import rule20 from './windows_registry_query_local.json';
-import rule21 from './linux_netcat_network_connection.json';
-import rule22 from './windows_defense_evasion_via_filter_manager.json';
-import rule23 from './suricata_nondns_traffic_on_udp_port_53.json';
-import rule24 from './suricata_double_encoded_characters_in_an_http_post.json';
-import rule25 from './command_shell_started_by_internet_explorer.json';
-import rule26 from './network_vnc_virtual_network_computing_from_the_internet.json';
-import rule27 from './windows_nmap_activity.json';
-import rule28 from './suspicious_process_started_by_a_script.json';
-import rule29 from './windows_network_anomalous_windows_process_using_https_ports.json';
-import rule30 from './powershell_network_connection.json';
-import rule31 from './windows_signed_binary_proxy_execution.json';
-import rule32 from './linux_kernel_module_activity.json';
-import rule33 from './network_vnc_virtual_network_computing_to_the_internet.json';
-import rule34 from './suricata_mimikatz_string_detected_in_http_response.json';
-import rule35 from './command_shell_started_by_svchost.json';
-import rule36 from './linux_tcpdump_activity.json';
-import rule37 from './process_started_by_ms_office_program_possible_payload.json';
-import rule38 from './windows_signed_binary_proxy_execution_download.json';
-import rule39 from './suricata_base64_encoded_startprocess_powershell_execution.json';
-import rule40 from './suricata_base64_encoded_invokecommand_powershell_execution.json';
-import rule41 from './suricata_directory_traversal_characters_in_http_response.json';
-import rule42 from './windows_microsoft_html_application_hta_connecting_to_the_internet.json';
-import rule43 from './suricata_tls_traffic_on_unusual_port_internet_destination.json';
-import rule44 from './process_started_by_acrobat_reader_possible_payload.json';
-import rule45 from './suricata_http_traffic_on_unusual_port_internet_destination.json';
-import rule46 from './windows_persistence_via_modification_of_existing_service.json';
-import rule47 from './windows_defense_evasion_or_persistence_via_hidden_files.json';
-import rule48 from './windows_execution_via_compiled_html_file.json';
-import rule49 from './linux_ptrace_activity.json';
-import rule50 from './suricata_nonimap_traffic_on_port_1443_imap.json';
-import rule51 from './windows_scheduled_task_activity.json';
-import rule52 from './suricata_ftp_traffic_on_unusual_port_internet_destination.json';
-import rule53 from './windows_wireshark_activity.json';
-import rule54 from './windows_execution_via_trusted_developer_utilities.json';
-import rule55 from './suricata_rpc_traffic_on_http_ports.json';
-import rule56 from './windows_process_discovery_via_tasklist_command.json';
-import rule57 from './suricata_cobaltstrike_artifact_in_an_dns_request.json';
-import rule58 from './suricata_serialized_php_detected.json';
-import rule59 from './windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json';
-import rule60 from './windows_registry_query_network.json';
-import rule61 from './windows_persistence_via_application_shimming.json';
-import rule62 from './network_proxy_port_activity_to_the_internet.json';
-import rule63 from './windows_whoami_command_activity.json';
-import rule64 from './suricata_shell_exec_php_function_in_an_http_post.json';
-import rule65 from './windump_activity.json';
-import rule66 from './windows_management_instrumentation_wmi_execution.json';
-import rule67 from './network_rdp_remote_desktop_protocol_from_the_internet.json';
-import rule68 from './windows_priv_escalation_via_accessibility_features.json';
-import rule69 from './psexec_activity.json';
-import rule70 from './linux_rawshark_activity.json';
-import rule71 from './suricata_nonftp_traffic_on_port_21.json';
-import rule72 from './network_ftp_file_transfer_protocol_activity_to_the_internet.json';
-import rule73 from './windows_certutil_connecting_to_the_internet.json';
-import rule74 from './suricata_nonsmb_traffic_on_tcp_port_139_smb.json';
-import rule75 from './network_rdp_remote_desktop_protocol_to_the_internet.json';
-import rule76 from './linux_whoami_commmand.json';
-import rule77 from './windows_persistence_or_priv_escalation_via_hooking.json';
-import rule78 from './linux_lzop_activity_possible_julianrunnels.json';
-import rule79 from './suricata_nontls_on_tls_port.json';
-import rule80 from './network_irc_internet_relay_chat_protocol_activity_to_the_internet.json';
-import rule81 from './linux_network_anomalous_process_using_https_ports.json';
-import rule82 from './windows_credential_dumping_via_registry_save.json';
-import rule83 from './network_rpc_remote_procedure_call_from_the_internet.json';
-import rule84 from './windows_credential_dumping_via_imageload.json';
-import rule85 from './windows_burp_ce_activity.json';
-import rule86 from './linux_hping_activity.json';
-import rule87 from './windows_command_prompt_connecting_to_the_internet.json';
-import rule88 from './network_nat_traversal_port_activity.json';
-import rule89 from './network_rpc_remote_procedure_call_to_the_internet.json';
-import rule90 from './suricata_possible_cobalt_strike_malleable_c2_null_response.json';
-import rule91 from './windows_remote_management_execution.json';
-import rule92 from './suricata_lazagne_artifact_in_an_http_post.json';
-import rule93 from './windows_netcat_network_activity.json';
-import rule94 from './windows_iodine_activity.json';
-import rule95 from './network_port_26_activity.json';
-import rule96 from './windows_execution_via_connection_manager.json';
-import rule97 from './linux_process_started_in_temp_directory.json';
-import rule98 from './suricata_eval_php_function_in_an_http_request.json';
-import rule99 from './linux_web_download.json';
-import rule100 from './suricata_ssh_traffic_not_on_port_22_internet_destination.json';
-import rule101 from './network_port_8000_activity.json';
-import rule102 from './windows_process_started_by_the_java_runtime.json';
-import rule103 from './suricata_possible_sql_injection_sql_commands_in_http_transactions.json';
-import rule104 from './network_smb_windows_file_sharing_activity_to_the_internet.json';
-import rule105 from './network_port_8000_activity_to_the_internet.json';
-import rule106 from './command_shell_started_by_powershell.json';
-import rule107 from './linux_nmap_activity.json';
-import rule108 from './search_windows_10.json';
-import rule109 from './network_smtp_to_the_internet.json';
-import rule110 from './windows_payload_obfuscation_via_certutil.json';
-import rule111 from './network_pptp_point_to_point_tunneling_protocol_activity.json';
-import rule112 from './linux_unusual_shell_activity.json';
-import rule113 from './linux_mknod_activity.json';
-import rule114 from './network_sql_server_port_activity_to_the_internet.json';
-import rule115 from './suricata_commonly_abused_dns_domain_detected.json';
-import rule116 from './linux_iodine_activity.json';
-import rule117 from './suricata_mimikatz_artifacts_in_an_http_post.json';
-import rule118 from './windows_execution_via_net_com_assemblies.json';
-import rule119 from './suricata_dns_traffic_on_unusual_tcp_port.json';
-import rule120 from './suricata_base64_encoded_newobject_powershell_execution.json';
-import rule121 from './windows_netcat_activity.json';
-import rule122 from './windows_persistence_via_bits_jobs.json';
-import rule123 from './linux_nping_activity.json';
-import rule124 from './windows_execution_via_regsvr32.json';
-import rule125 from './process_started_by_windows_defender.json';
-import rule126 from './windows_indirect_command_execution.json';
-import rule127 from './network_ssh_secure_shell_from_the_internet.json';
-import rule128 from './windows_html_help_executable_program_connecting_to_the_internet.json';
-import rule129 from './suricata_windows_executable_served_by_jpeg_web_content.json';
-import rule130 from './network_dns_directly_to_the_internet.json';
-import rule131 from './windows_defense_evasion_via_windows_event_log_tools.json';
-import rule132 from './suricata_nondns_traffic_on_tcp_port_53.json';
-import rule133 from './windows_persistence_via_netshell_helper_dll.json';
-import rule134 from './windows_script_interpreter_connecting_to_the_internet.json';
-import rule135 from './windows_defense_evasion_decoding_using_certutil.json';
-import rule136 from './linux_shell_activity_by_web_server.json';
-import rule137 from './linux_ldso_process_activity.json';
-import rule138 from './windows_mimikatz_activity.json';
-import rule139 from './suricata_nonssh_traffic_on_port_22.json';
-import rule140 from './windows_data_compression_using_powershell.json';
-import rule141 from './windows_nmap_scan_activity.json';
+import rule1 from './eql_bypass_uac_via_sdclt.json';
+import rule2 from './eql_clearing_windows_event_logs.json';
+import rule3 from './eql_suspicious_ms_office_child_process.json';
+import rule4 from './eql_bypass_uac_event_viewer.json';
+import rule5 from './eql_volume_shadow_copy_deletion_via_wmic.json';
+import rule6 from './eql_adobe_hijack_persistence.json';
+import rule7 from './eql_unusual_network_connection_via_rundll32.json';
+import rule8 from './eql_delete_volume_usn_journal_with_fsutil.json';
+import rule9 from './eql_mshta_making_network_connections.json';
+import rule10 from './eql_unusual_process_network_connection.json';
+import rule11 from './eql_suspicious_ms_outlook_child_process.json';
+import rule12 from './eql_audio_capture_via_soundrecorder.json';
+import rule13 from './eql_direct_outbound_smb_connection.json';
+import rule14 from './eql_windows_script_executing_powershell.json';
+import rule15 from './eql_deleting_backup_catalogs_with_wbadmin.json';
+import rule16 from './eql_suspicious_pdf_reader_child_process.json';
+import rule17 from './eql_local_service_commands.json';
+import rule18 from './eql_dll_search_order_hijack.json';
+import rule19 from './eql_bypass_uac_via_cmstp.json';
+import rule20 from './eql_user_account_creation.json';
+import rule21 from './eql_wmic_command_lateral_movement.json';
+import rule22 from './eql_system_shells_via_services.json';
+import rule23 from './eql_msxsl_making_network_connections.json';
+import rule24 from './eql_local_scheduled_task_commands.json';
+import rule25 from './eql_msbuild_making_network_connections.json';
+import rule26 from './eql_encoding_or_decoding_files_via_certutil.json';
+import rule27 from './eql_disable_windows_firewall_rules_with_netsh.json';
+import rule28 from './eql_adding_the_hidden_file_attribute_with_via_attribexe.json';
+import rule29 from './eql_psexec_lateral_movement_command.json';
+import rule30 from './eql_user_added_to_administrator_group.json';
+import rule31 from './eql_audio_capture_via_powershell.json';
+import rule32 from './eql_unusual_parentchild_relationship.json';
+import rule33 from './eql_modification_of_boot_configuration.json';
+import rule34 from './eql_volume_shadow_copy_deletion_via_vssadmin.json';
+import rule35 from './suricata_category_large_scale_information_leak.json';
+import rule36 from './suricata_category_attempted_information_leak.json';
+import rule37 from './suricata_category_not_suspicious_traffic.json';
+import rule38 from './suricata_category_potentially_bad_traffic.json';
+import rule39 from './suricata_category_information_leak.json';
+import rule40 from './suricata_category_unknown_traffic.json';
+import rule41 from './suricata_category_successful_administrator_privilege_gain.json';
+import rule42 from './suricata_category_attempted_administrator_privilege_gain.json';
+import rule43 from './suricata_category_unsuccessful_user_privilege_gain.json';
+import rule44 from './suricata_category_successful_user_privilege_gain.json';
+import rule45 from './suricata_category_attempted_user_privilege_gain.json';
+import rule46 from './suricata_category_attempted_denial_of_service.json';
+import rule47 from './suricata_category_decode_of_an_rpc_query.json';
+import rule48 from './suricata_category_denial_of_service.json';
+import rule49 from './suricata_category_attempted_login_with_suspicious_username.json';
+import rule50 from './suricata_category_client_using_unusual_port.json';
+import rule51 from './suricata_category_suspicious_filename_detected.json';
+import rule52 from './suricata_category_a_suspicious_string_was_detected.json';
+import rule53 from './suricata_category_tcp_connection_detected.json';
+import rule54 from './suricata_category_executable_code_was_detected.json';
+import rule55 from './suricata_category_network_trojan_detected.json';
+import rule56 from './suricata_category_system_call_detected.json';
+import rule57 from './suricata_category_potentially_vulnerable_web_application_access.json';
+import rule58 from './suricata_category_nonstandard_protocol_or_event.json';
+import rule59 from './suricata_category_denial_of_service_attack.json';
+import rule60 from './suricata_category_generic_protocol_command_decode.json';
+import rule61 from './suricata_category_network_scan_detected.json';
+import rule62 from './suricata_category_web_application_attack.json';
+import rule63 from './suricata_category_generic_icmp_event.json';
+import rule64 from './suricata_category_misc_attack.json';
+import rule65 from './suricata_category_default_username_and_password_login_attempt.json';
+import rule66 from './suricata_category_external_ip_address_retrieval.json';
+import rule67 from './suricata_category_potential_corporate_privacy_violation.json';
+import rule68 from './suricata_category_targeted_malicious_activity.json';
+import rule69 from './suricata_category_observed_c2_domain.json';
+import rule70 from './suricata_category_exploit_kit_activity.json';
+import rule71 from './suricata_category_possibly_unwanted_program.json';
+import rule72 from './suricata_category_successful_credential_theft.json';
+import rule73 from './suricata_category_possible_social_engineering_attempted.json';
+import rule74 from './suricata_category_crypto_currency_mining_activity.json';
+import rule75 from './suricata_category_malware_command_and_control_activity.json';
+import rule76 from './suricata_category_misc_activity.json';
+import rule77 from './windows_powershell_connecting_to_the_internet.json';
+import rule78 from './windows_net_user_command_activity.json';
+import rule79 from './windows_image_load_from_a_temp_directory.json';
+import rule80 from './network_ssh_secure_shell_to_the_internet.json';
+import rule81 from './suricata_nonhttp_traffic_on_tcp_port_80.json';
+import rule82 from './windows_misc_lolbin_connecting_to_the_internet.json';
+import rule83 from './linux_strace_activity.json';
+import rule84 from './suricata_directory_reversal_characters_in_an_http_request.json';
+import rule85 from './suricata_dns_traffic_on_unusual_udp_port.json';
+import rule86 from './network_telnet_port_activity.json';
+import rule87 from './suricata_directory_traversal_in_downloaded_zip_file.json';
+import rule88 from './windows_execution_via_microsoft_html_application_hta.json';
+import rule89 from './windows_credential_dumping_commands.json';
+import rule90 from './windows_net_command_activity_by_the_system_account.json';
+import rule91 from './windows_register_server_program_connecting_to_the_internet.json';
+import rule92 from './linux_java_process_connecting_to_the_internet.json';
+import rule93 from './suricata_imap_traffic_on_unusual_port_internet_destination.json';
+import rule94 from './suricata_double_encoded_characters_in_a_uri.json';
+import rule95 from './network_tor_activity_to_the_internet.json';
+import rule96 from './windows_registry_query_local.json';
+import rule97 from './linux_netcat_network_connection.json';
+import rule98 from './windows_defense_evasion_via_filter_manager.json';
+import rule99 from './suricata_nondns_traffic_on_udp_port_53.json';
+import rule100 from './suricata_double_encoded_characters_in_an_http_post.json';
+import rule101 from './command_shell_started_by_internet_explorer.json';
+import rule102 from './network_vnc_virtual_network_computing_from_the_internet.json';
+import rule103 from './windows_nmap_activity.json';
+import rule104 from './suspicious_process_started_by_a_script.json';
+import rule105 from './windows_network_anomalous_windows_process_using_https_ports.json';
+import rule106 from './powershell_network_connection.json';
+import rule107 from './windows_signed_binary_proxy_execution.json';
+import rule108 from './linux_kernel_module_activity.json';
+import rule109 from './network_vnc_virtual_network_computing_to_the_internet.json';
+import rule110 from './suricata_mimikatz_string_detected_in_http_response.json';
+import rule111 from './command_shell_started_by_svchost.json';
+import rule112 from './linux_tcpdump_activity.json';
+import rule113 from './process_started_by_ms_office_program_possible_payload.json';
+import rule114 from './windows_signed_binary_proxy_execution_download.json';
+import rule115 from './suricata_base64_encoded_startprocess_powershell_execution.json';
+import rule116 from './suricata_base64_encoded_invokecommand_powershell_execution.json';
+import rule117 from './suricata_directory_traversal_characters_in_http_response.json';
+import rule118 from './windows_microsoft_html_application_hta_connecting_to_the_internet.json';
+import rule119 from './suricata_tls_traffic_on_unusual_port_internet_destination.json';
+import rule120 from './process_started_by_acrobat_reader_possible_payload.json';
+import rule121 from './suricata_http_traffic_on_unusual_port_internet_destination.json';
+import rule122 from './windows_persistence_via_modification_of_existing_service.json';
+import rule123 from './windows_defense_evasion_or_persistence_via_hidden_files.json';
+import rule124 from './windows_execution_via_compiled_html_file.json';
+import rule125 from './linux_ptrace_activity.json';
+import rule126 from './suricata_nonimap_traffic_on_port_1443_imap.json';
+import rule127 from './windows_scheduled_task_activity.json';
+import rule128 from './suricata_ftp_traffic_on_unusual_port_internet_destination.json';
+import rule129 from './windows_wireshark_activity.json';
+import rule130 from './windows_execution_via_trusted_developer_utilities.json';
+import rule131 from './suricata_rpc_traffic_on_http_ports.json';
+import rule132 from './windows_process_discovery_via_tasklist_command.json';
+import rule133 from './suricata_cobaltstrike_artifact_in_an_dns_request.json';
+import rule134 from './suricata_serialized_php_detected.json';
+import rule135 from './windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json';
+import rule136 from './windows_registry_query_network.json';
+import rule137 from './windows_persistence_via_application_shimming.json';
+import rule138 from './network_proxy_port_activity_to_the_internet.json';
+import rule139 from './windows_whoami_command_activity.json';
+import rule140 from './suricata_shell_exec_php_function_in_an_http_post.json';
+import rule141 from './windump_activity.json';
+import rule142 from './windows_management_instrumentation_wmi_execution.json';
+import rule143 from './network_rdp_remote_desktop_protocol_from_the_internet.json';
+import rule144 from './windows_priv_escalation_via_accessibility_features.json';
+import rule145 from './psexec_activity.json';
+import rule146 from './linux_rawshark_activity.json';
+import rule147 from './suricata_nonftp_traffic_on_port_21.json';
+import rule148 from './network_ftp_file_transfer_protocol_activity_to_the_internet.json';
+import rule149 from './windows_certutil_connecting_to_the_internet.json';
+import rule150 from './suricata_nonsmb_traffic_on_tcp_port_139_smb.json';
+import rule151 from './network_rdp_remote_desktop_protocol_to_the_internet.json';
+import rule152 from './linux_whoami_commmand.json';
+import rule153 from './windows_persistence_or_priv_escalation_via_hooking.json';
+import rule154 from './linux_lzop_activity_possible_julianrunnels.json';
+import rule155 from './suricata_nontls_on_tls_port.json';
+import rule156 from './network_irc_internet_relay_chat_protocol_activity_to_the_internet.json';
+import rule157 from './linux_network_anomalous_process_using_https_ports.json';
+import rule158 from './windows_credential_dumping_via_registry_save.json';
+import rule159 from './network_rpc_remote_procedure_call_from_the_internet.json';
+import rule160 from './windows_credential_dumping_via_imageload.json';
+import rule161 from './windows_burp_ce_activity.json';
+import rule162 from './linux_hping_activity.json';
+import rule163 from './windows_command_prompt_connecting_to_the_internet.json';
+import rule164 from './network_nat_traversal_port_activity.json';
+import rule165 from './network_rpc_remote_procedure_call_to_the_internet.json';
+import rule166 from './suricata_possible_cobalt_strike_malleable_c2_null_response.json';
+import rule167 from './windows_remote_management_execution.json';
+import rule168 from './suricata_lazagne_artifact_in_an_http_post.json';
+import rule169 from './windows_netcat_network_activity.json';
+import rule170 from './windows_iodine_activity.json';
+import rule171 from './network_port_26_activity.json';
+import rule172 from './windows_execution_via_connection_manager.json';
+import rule173 from './linux_process_started_in_temp_directory.json';
+import rule174 from './suricata_eval_php_function_in_an_http_request.json';
+import rule175 from './linux_web_download.json';
+import rule176 from './suricata_ssh_traffic_not_on_port_22_internet_destination.json';
+import rule177 from './network_port_8000_activity.json';
+import rule178 from './windows_process_started_by_the_java_runtime.json';
+import rule179 from './suricata_possible_sql_injection_sql_commands_in_http_transactions.json';
+import rule180 from './network_smb_windows_file_sharing_activity_to_the_internet.json';
+import rule181 from './network_port_8000_activity_to_the_internet.json';
+import rule182 from './command_shell_started_by_powershell.json';
+import rule183 from './linux_nmap_activity.json';
+import rule184 from './search_windows_10.json';
+import rule185 from './network_smtp_to_the_internet.json';
+import rule186 from './windows_payload_obfuscation_via_certutil.json';
+import rule187 from './network_pptp_point_to_point_tunneling_protocol_activity.json';
+import rule188 from './linux_unusual_shell_activity.json';
+import rule189 from './linux_mknod_activity.json';
+import rule190 from './network_sql_server_port_activity_to_the_internet.json';
+import rule191 from './suricata_commonly_abused_dns_domain_detected.json';
+import rule192 from './linux_iodine_activity.json';
+import rule193 from './suricata_mimikatz_artifacts_in_an_http_post.json';
+import rule194 from './windows_execution_via_net_com_assemblies.json';
+import rule195 from './suricata_dns_traffic_on_unusual_tcp_port.json';
+import rule196 from './suricata_base64_encoded_newobject_powershell_execution.json';
+import rule197 from './windows_netcat_activity.json';
+import rule198 from './windows_persistence_via_bits_jobs.json';
+import rule199 from './linux_nping_activity.json';
+import rule200 from './windows_execution_via_regsvr32.json';
+import rule201 from './process_started_by_windows_defender.json';
+import rule202 from './windows_indirect_command_execution.json';
+import rule203 from './network_ssh_secure_shell_from_the_internet.json';
+import rule204 from './windows_html_help_executable_program_connecting_to_the_internet.json';
+import rule205 from './suricata_windows_executable_served_by_jpeg_web_content.json';
+import rule206 from './network_dns_directly_to_the_internet.json';
+import rule207 from './windows_defense_evasion_via_windows_event_log_tools.json';
+import rule208 from './suricata_nondns_traffic_on_tcp_port_53.json';
+import rule209 from './windows_persistence_via_netshell_helper_dll.json';
+import rule210 from './windows_script_interpreter_connecting_to_the_internet.json';
+import rule211 from './windows_defense_evasion_decoding_using_certutil.json';
+import rule212 from './linux_shell_activity_by_web_server.json';
+import rule213 from './linux_ldso_process_activity.json';
+import rule214 from './windows_mimikatz_activity.json';
+import rule215 from './suricata_nonssh_traffic_on_port_22.json';
+import rule216 from './windows_data_compression_using_powershell.json';
+import rule217 from './windows_nmap_scan_activity.json';
 
 export const rawRules = [
   rule1,
@@ -291,4 +367,80 @@ export const rawRules = [
   rule139,
   rule140,
   rule141,
+  rule142,
+  rule143,
+  rule144,
+  rule145,
+  rule146,
+  rule147,
+  rule148,
+  rule149,
+  rule150,
+  rule151,
+  rule152,
+  rule153,
+  rule154,
+  rule155,
+  rule156,
+  rule157,
+  rule158,
+  rule159,
+  rule160,
+  rule161,
+  rule162,
+  rule163,
+  rule164,
+  rule165,
+  rule166,
+  rule167,
+  rule168,
+  rule169,
+  rule170,
+  rule171,
+  rule172,
+  rule173,
+  rule174,
+  rule175,
+  rule176,
+  rule177,
+  rule178,
+  rule179,
+  rule180,
+  rule181,
+  rule182,
+  rule183,
+  rule184,
+  rule185,
+  rule186,
+  rule187,
+  rule188,
+  rule189,
+  rule190,
+  rule191,
+  rule192,
+  rule193,
+  rule194,
+  rule195,
+  rule196,
+  rule197,
+  rule198,
+  rule199,
+  rule200,
+  rule201,
+  rule202,
+  rule203,
+  rule204,
+  rule205,
+  rule206,
+  rule207,
+  rule208,
+  rule209,
+  rule210,
+  rule211,
+  rule212,
+  rule213,
+  rule214,
+  rule215,
+  rule216,
+  rule217,
 ];

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_a_suspicious_string_was_detected.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "2a3d91c1-5065-46ab-bed0-93f80835b1d5",
+  "risk_score": 50,
+  "description": "Suricata Category - A suspicious string was detected",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - A suspicious string was detected",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"A suspicious string was detected\" or rule.category: \"A suspicious string was detected\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_administrator_privilege_gain.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "f840129e-9089-4f46-8af1-0745e8f54713",
+  "risk_score": 50,
+  "description": "Suricata Category - Attempted Administrator Privilege Gain",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - Attempted Administrator Privilege Gain",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Attempted Administrator Privilege Gain\" or rule.category: \"Attempted Administrator Privilege Gain\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_denial_of_service.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "a62927f4-2488-4679-b56f-cda1a7f4c9e1",
+  "risk_score": 50,
+  "description": "Suricata Category - Attempted Denial of Service",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - Attempted Denial of Service",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Attempted Denial of Service\" or rule.category: \"Attempted Denial of Service\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_information_leak.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "88d69362-f496-41d6-8e6b-a2dbaed3513f",
+  "risk_score": 50,
+  "description": "Suricata Category - Attempted Information Leak",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - Attempted Information Leak",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Attempted Information Leak\" or rule.category: \"Attempted Information Leak\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_login_with_suspicious_username.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "a84cd36c-dd5a-4e86-a2ce-44556c21cef0",
+  "risk_score": 50,
+  "description": "Suricata Category - Attempted Login with Suspicious Username",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - Attempted Login with Suspicious Username",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"An attempted login using a suspicious username was detected\" or rule.category: \"An attempted login using a suspicious username was detected\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_user_privilege_gain.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "eabce895-4602-4d20-8bf9-11c903bb3e08",
+  "risk_score": 50,
+  "description": "Suricata Category - Attempted User Privilege Gain",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - Attempted User Privilege Gain",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Attempted User Privilege Gain\" or rule.category: \"Attempted User Privilege Gain\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_client_using_unusual_port.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "00503a3c-304c-421c-bfea-e5d8fdfd9726",
+  "risk_score": 50,
+  "description": "Suricata Category - Client Using Unusual Port",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - Client Using Unusual Port",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"A client was using an unusual port\" or rule.category: \"A client was using an unusual port\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_crypto_currency_mining_activity.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "74cd4920-a441-41d2-8a23-5bee70626e60",
+  "risk_score": 50,
+  "description": "Suricata Category - Crypto Currency Mining Activity",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - Crypto Currency Mining Activity",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Crypto Currency Mining Activity Detected\" or rule.category: \"Crypto Currency Mining Activity Detected\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_decode_of_an_rpc_query.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "e9fc5bd3-c8a1-442c-be6d-032da07c508b",
+  "risk_score": 50,
+  "description": "Suricata Category - Decode of an RPC Query",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - Decode of an RPC Query",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Decode of an RPC Query\" or rule.category: \"Decode of an RPC Query\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_default_username_and_password_login_attempt.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "190bd112-f831-4813-98b2-e45a934277c2",
+  "risk_score": 50,
+  "description": "Suricata Category - Default Username and Password Login Attempt",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - Default Username and Password Login Attempt",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Attempt to login by a default username and password\" or rule.category: \"Attempt to login by a default username and password\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_denial_of_service.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "0e97e390-84db-4725-965a-a8b0b600f7be",
+  "risk_score": 50,
+  "description": "Suricata Category - Denial of Service",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - Denial of Service",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Denial of Service\" or rule.category: \"Denial of Service\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_denial_of_service_attack.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "42a60eaa-fd20-479b-b6ca-bdb88d47b34b",
+  "risk_score": 50,
+  "description": "Suricata Category - Denial of Service Attack",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - Denial of Service Attack",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Detection of a Denial of Service Attack\" or rule.category: \"Detection of a Denial of Service Attack\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_executable_code_was_detected.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "4699296b-5127-475a-9d83-8434fcd18136",
+  "risk_score": 50,
+  "description": "Suricata Category - Executable code was detected",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - Executable code was detected",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Executable code was detected\" or rule.category: \"Executable code was detected\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_exploit_kit_activity.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "b3111af8-79bf-4ec3-97ae-28d9ed9fbd38",
+  "risk_score": 50,
+  "description": "Suricata Category - Exploit Kit Activity",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - Exploit Kit Activity",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Exploit Kit Activity Detected\" or rule.category: \"Exploit Kit Activity Detected\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_external_ip_address_retrieval.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "c7df9ecf-d6be-4ef8-9871-cb317dfff0b4",
+  "risk_score": 50,
+  "description": "Suricata Category - External IP Address Retrieval",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - External IP Address Retrieval",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Device Retrieving External IP Address Detected\" or rule.category: \"Device Retrieving External IP Address Detected\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_generic_icmp_event.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "3309bffa-7c43-409a-acea-6631c1b077e5",
+  "risk_score": 50,
+  "description": "Suricata Category - Generic ICMP event",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - Generic ICMP event",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Generic ICMP event\" or rule.category: \"Generic ICMP event\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_generic_protocol_command_decode.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "6fd2deb4-a7a9-4221-8b7b-8d26836a8c30",
+  "risk_score": 50,
+  "description": "Suricata Category - Generic Protocol Command Decode",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - Generic Protocol Command Decode",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Generic Protocol Command Decode\" or rule.category: \"Generic Protocol Command Decode\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_information_leak.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "95df8ff4-7169-4c84-ae50-3561b1d1bc91",
+  "risk_score": 50,
+  "description": "Suricata Category - Information Leak",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - Information Leak",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Information Leak\" or rule.category: \"Information Leak\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_large_scale_information_leak.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "ca98de30-c703-4170-97ae-ab2b340f6080",
+  "risk_score": 50,
+  "description": "Suricata Category - Large Scale Information Leak",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - Large Scale Information Leak",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Large Scale Information Leak\" or rule.category: \"Large Scale Information Leak\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_malware_command_and_control_activity.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "56656341-2940-4a69-b8fe-acf3c734f540",
+  "risk_score": 50,
+  "description": "Suricata Category - Malware Command and Control Activity",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - Malware Command and Control Activity",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Malware Command and Control Activity Detected\" or rule.category: \"Malware Command and Control Activity Detected\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_misc_activity.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "403ddbde-a486-4dd7-b932-cee4ebef88b6",
+  "risk_score": 50,
+  "description": "Suricata Category - Misc Activity",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - Misc Activity",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Misc activity\" or rule.category: \"Misc activity\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_misc_attack.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "83277123-749f-49da-ad3d-d59f35490db1",
+  "risk_score": 50,
+  "description": "Suricata Category - Misc Attack",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - Misc Attack",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Misc Attack\" or rule.category: \"Misc Attack\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_network_scan_detected.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "7e969b45-d005-4173-aee7-a7aaa79bc372",
+  "risk_score": 50,
+  "description": "Suricata Category - Network Scan Detected",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - Network Scan Detected",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Detection of a Network Scan\" or rule.category: \"Detection of a Network Scan\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_network_trojan_detected.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "76ffa464-ec03-42e1-87ee-87760c331061",
+  "risk_score": 50,
+  "description": "Suricata Category - Network Trojan Detected",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - Network Trojan Detected",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"A Network Trojan was detected\" or rule.category: \"A Network Trojan was detected\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_nonstandard_protocol_or_event.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "82f9f485-873b-4eeb-b231-052ab81e05b8",
+  "risk_score": 50,
+  "description": "Suricata Category - Non-Standard Protocol or Event",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - Non-Standard Protocol or Event",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Detection of a non-standard protocol or event\" or rule.category: \"Detection of a non-standard protocol or event\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_not_suspicious_traffic.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "c0f684ff-4f15-44e7-912d-aa8b8f08a910",
+  "risk_score": 50,
+  "description": "Suricata Category - Not Suspicious Traffic",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - Not Suspicious Traffic",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Not Suspicious Traffic\" or rule.category: \"Not Suspicious Traffic\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_observed_c2_domain.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "8adfa89f-aa90-4d26-9d7a-7da652cae902",
+  "risk_score": 50,
+  "description": "Suricata Category - Observed C2 Domain",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - Observed C2 Domain",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Domain Observed Used for C2 Detected\" or rule.category: \"Domain Observed Used for C2 Detected\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_possible_social_engineering_attempted.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "7d2d5a5f-f590-407d-933a-42adb1a7bcef",
+  "risk_score": 50,
+  "description": "Suricata Category - Possible Social Engineering Attempted",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - Possible Social Engineering Attempted",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Possible Social Engineering Attempted\" or rule.category: \"Possible Social Engineering Attempted\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_possibly_unwanted_program.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "1b9a31e8-fdfa-400e-aa4e-79a7f1a1da18",
+  "risk_score": 50,
+  "description": "Suricata Category - Possibly Unwanted Program",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - Possibly Unwanted Program",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Possibly Unwanted Program Detected\" or rule.category: \"Possibly Unwanted Program Detected\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_potential_corporate_privacy_violation.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "1c70f5d5-eae0-4d00-b35a-d34ca607094e",
+  "risk_score": 50,
+  "description": "Suricata Category - Potential Corporate Privacy Violation",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - Potential Corporate Privacy Violation",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Potential Corporate Privacy Violation\" or rule.category: \"Potential Corporate Privacy Violation\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_potentially_bad_traffic.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "197cdd5a-9880-4780-a87c-594d0ed2b7b4",
+  "risk_score": 50,
+  "description": "Suricata Category - Potentially Bad Traffic",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - Potentially Bad Traffic",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Potentially Bad Traffic\" or rule.category: \"Potentially Bad Traffic\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_potentially_vulnerable_web_application_access.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "0993e926-1a01-4c28-918a-cdd5741a19a8",
+  "risk_score": 50,
+  "description": "Suricata Category - Potentially Vulnerable Web Application Access",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - Potentially Vulnerable Web Application Access",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"access to a potentially vulnerable web application\" or rule.category: \"access to a potentially vulnerable web application\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_successful_administrator_privilege_gain.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "f068e655-1f52-4d81-839a-9c08c6543ceb",
+  "risk_score": 50,
+  "description": "Suricata Category - Successful Administrator Privilege Gain",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - Successful Administrator Privilege Gain",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Successful Administrator Privilege Gain\" or rule.category: \"Successful Administrator Privilege Gain\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_successful_credential_theft.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "90f3e735-2187-4e8e-8d28-6e3249964851",
+  "risk_score": 50,
+  "description": "Suricata Category - Successful Credential Theft",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - Successful Credential Theft",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Successful Credential Theft Detected\" or rule.category: \"Successful Credential Theft Detected\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_successful_user_privilege_gain.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "f8ebd022-6e92-4b80-ac49-7ee011ba2ce0",
+  "risk_score": 50,
+  "description": "Suricata Category - Successful User Privilege Gain",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - Successful User Privilege Gain",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Successful User Privilege Gain\" or rule.category: \"Successful User Privilege Gain\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_suspicious_filename_detected.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "d0489b07-8140-4e3d-a2b7-52f2c06fdc7c",
+  "risk_score": 50,
+  "description": "Suricata Category - Suspicious Filename Detected",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - Suspicious Filename Detected",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"A suspicious filename was detected\" or rule.category: \"A suspicious filename was detected\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_system_call_detected.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "44a5c55a-a34f-43c3-8f21-df502862aa9b",
+  "risk_score": 50,
+  "description": "Suricata Category - System Call Detected",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - System Call Detected",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"A system call was detected\" or rule.category: \"A system call was detected\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_targeted_malicious_activity.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "d299379d-41de-4640-96b6-77aaa9adfa6f",
+  "risk_score": 50,
+  "description": "Suricata Category - Targeted Malicious Activity",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - Targeted Malicious Activity",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Targeted Malicious Activity was Detected\" or rule.category: \"Targeted Malicious Activity was Detected\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_tcp_connection_detected.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "ddf402cf-307d-4f46-a25d-dce3aee1ad13",
+  "risk_score": 50,
+  "description": "Suricata Category - TCP Connection Detected",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - TCP Connection Detected",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"A TCP connection was detected\" or rule.category: \"A TCP connection was detected\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_unknown_traffic.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "827ea90c-00c2-45f7-b873-dd060297b2d2",
+  "risk_score": 50,
+  "description": "Suricata Category - Unknown Traffic",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - Unknown Traffic",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Unknown Traffic\" or rule.category: \"Unknown Traffic\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_unsuccessful_user_privilege_gain.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "85471d30-78c9-48f6-b2db-ab5b2547e450",
+  "risk_score": 50,
+  "description": "Suricata Category - Unsuccessful User Privilege Gain",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - Unsuccessful User Privilege Gain",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Unsuccessful User Privilege Gain\" or rule.category: \"Unsuccessful User Privilege Gain\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_web_application_attack.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "e856918b-f26e-4893-84b9-3deb65046fb7",
+  "risk_score": 50,
+  "description": "Suricata Category - Web Application Attack",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Suricata Category - Web Application Attack",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Web Application Attack\" or rule.category: \"Web Application Attack\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/get_filter.test.ts

@@ -509,5 +509,140 @@ describe('get_filter', () => {
         })
       ).rejects.toThrow('savedId parameter should be defined');
     });
+
+    test('it works with references and does not add indexes', () => {
+      const esQuery = getQueryFilter(
+        '(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610182 or 2610183 or 2610184 or 2610185 or 2610186 or 2610187)',
+        'kuery',
+        [],
+        ['my custom index']
+      );
+      expect(esQuery).toEqual({
+        bool: {
+          must: [],
+          filter: [
+            {
+              bool: {
+                filter: [
+                  {
+                    bool: {
+                      filter: [
+                        {
+                          bool: {
+                            should: [{ match: { 'event.module': 'suricata' } }],
+                            minimum_should_match: 1,
+                          },
+                        },
+                        {
+                          bool: {
+                            should: [{ match: { 'event.kind': 'alert' } }],
+                            minimum_should_match: 1,
+                          },
+                        },
+                      ],
+                    },
+                  },
+                  {
+                    bool: {
+                      should: [
+                        {
+                          bool: {
+                            should: [{ match: { 'suricata.eve.alert.signature_id': 2610182 } }],
+                            minimum_should_match: 1,
+                          },
+                        },
+                        {
+                          bool: {
+                            should: [
+                              {
+                                bool: {
+                                  should: [
+                                    { match: { 'suricata.eve.alert.signature_id': 2610183 } },
+                                  ],
+                                  minimum_should_match: 1,
+                                },
+                              },
+                              {
+                                bool: {
+                                  should: [
+                                    {
+                                      bool: {
+                                        should: [
+                                          { match: { 'suricata.eve.alert.signature_id': 2610184 } },
+                                        ],
+                                        minimum_should_match: 1,
+                                      },
+                                    },
+                                    {
+                                      bool: {
+                                        should: [
+                                          {
+                                            bool: {
+                                              should: [
+                                                {
+                                                  match: {
+                                                    'suricata.eve.alert.signature_id': 2610185,
+                                                  },
+                                                },
+                                              ],
+                                              minimum_should_match: 1,
+                                            },
+                                          },
+                                          {
+                                            bool: {
+                                              should: [
+                                                {
+                                                  bool: {
+                                                    should: [
+                                                      {
+                                                        match: {
+                                                          'suricata.eve.alert.signature_id': 2610186,
+                                                        },
+                                                      },
+                                                    ],
+                                                    minimum_should_match: 1,
+                                                  },
+                                                },
+                                                {
+                                                  bool: {
+                                                    should: [
+                                                      {
+                                                        match: {
+                                                          'suricata.eve.alert.signature_id': 2610187,
+                                                        },
+                                                      },
+                                                    ],
+                                                    minimum_should_match: 1,
+                                                  },
+                                                },
+                                              ],
+                                              minimum_should_match: 1,
+                                            },
+                                          },
+                                        ],
+                                        minimum_should_match: 1,
+                                      },
+                                    },
+                                  ],
+                                  minimum_should_match: 1,
+                                },
+                              },
+                            ],
+                            minimum_should_match: 1,
+                          },
+                        },
+                      ],
+                      minimum_should_match: 1,
+                    },
+                  },
+                ],
+              },
+            },
+          ],
+          should: [],
+          must_not: [],
+        },
+      });
+    });
   });
 });