mirror of
https://github.com/elastic/kibana.git
synced 2025-04-24 01:38:56 -04:00
[SIEM][Detection Engine] More updates with more rules (#53728)
## Summary * Adds more rules from detection groups ### Checklist Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR. ~~- [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~~ ~~- [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)~~ ~~- [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~~ - [x] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios ~~- [ ] This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~~ ### For maintainers ~~- [ ] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~ - [x] This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)
This commit is contained in:
Frank Hassanabad
GitHub
parent
79bb25a965
commit
776aa23b06
50 changed files with 1114 additions and 183 deletions
|
|
@ -41,189 +41,238 @@ import rule31 from './eql_audio_capture_via_powershell.json';
|
|||
import rule32 from './eql_unusual_parentchild_relationship.json';
|
||||
import rule33 from './eql_modification_of_boot_configuration.json';
|
||||
import rule34 from './eql_volume_shadow_copy_deletion_via_vssadmin.json';
|
||||
import rule35 from './suricata_category_large_scale_information_leak.json';
|
||||
import rule36 from './suricata_category_attempted_information_leak.json';
|
||||
import rule37 from './suricata_category_not_suspicious_traffic.json';
|
||||
import rule38 from './suricata_category_potentially_bad_traffic.json';
|
||||
import rule39 from './suricata_category_information_leak.json';
|
||||
import rule40 from './suricata_category_unknown_traffic.json';
|
||||
import rule41 from './suricata_category_successful_administrator_privilege_gain.json';
|
||||
import rule42 from './suricata_category_attempted_administrator_privilege_gain.json';
|
||||
import rule43 from './suricata_category_unsuccessful_user_privilege_gain.json';
|
||||
import rule44 from './suricata_category_successful_user_privilege_gain.json';
|
||||
import rule45 from './suricata_category_attempted_user_privilege_gain.json';
|
||||
import rule46 from './suricata_category_attempted_denial_of_service.json';
|
||||
import rule47 from './suricata_category_decode_of_an_rpc_query.json';
|
||||
import rule48 from './suricata_category_denial_of_service.json';
|
||||
import rule49 from './suricata_category_attempted_login_with_suspicious_username.json';
|
||||
import rule50 from './suricata_category_client_using_unusual_port.json';
|
||||
import rule51 from './suricata_category_suspicious_filename_detected.json';
|
||||
import rule52 from './suricata_category_a_suspicious_string_was_detected.json';
|
||||
import rule53 from './suricata_category_tcp_connection_detected.json';
|
||||
import rule54 from './suricata_category_executable_code_was_detected.json';
|
||||
import rule55 from './suricata_category_network_trojan_detected.json';
|
||||
import rule56 from './suricata_category_system_call_detected.json';
|
||||
import rule57 from './suricata_category_potentially_vulnerable_web_application_access.json';
|
||||
import rule58 from './suricata_category_nonstandard_protocol_or_event.json';
|
||||
import rule59 from './suricata_category_denial_of_service_attack.json';
|
||||
import rule60 from './suricata_category_generic_protocol_command_decode.json';
|
||||
import rule61 from './suricata_category_network_scan_detected.json';
|
||||
import rule62 from './suricata_category_web_application_attack.json';
|
||||
import rule63 from './suricata_category_generic_icmp_event.json';
|
||||
import rule64 from './suricata_category_misc_attack.json';
|
||||
import rule65 from './suricata_category_default_username_and_password_login_attempt.json';
|
||||
import rule66 from './suricata_category_external_ip_address_retrieval.json';
|
||||
import rule67 from './suricata_category_potential_corporate_privacy_violation.json';
|
||||
import rule68 from './suricata_category_targeted_malicious_activity.json';
|
||||
import rule69 from './suricata_category_observed_c2_domain.json';
|
||||
import rule70 from './suricata_category_exploit_kit_activity.json';
|
||||
import rule71 from './suricata_category_possibly_unwanted_program.json';
|
||||
import rule72 from './suricata_category_successful_credential_theft.json';
|
||||
import rule73 from './suricata_category_possible_social_engineering_attempted.json';
|
||||
import rule74 from './suricata_category_crypto_currency_mining_activity.json';
|
||||
import rule75 from './suricata_category_malware_command_and_control_activity.json';
|
||||
import rule76 from './suricata_category_misc_activity.json';
|
||||
import rule77 from './windows_powershell_connecting_to_the_internet.json';
|
||||
import rule78 from './windows_net_user_command_activity.json';
|
||||
import rule79 from './windows_image_load_from_a_temp_directory.json';
|
||||
import rule80 from './network_ssh_secure_shell_to_the_internet.json';
|
||||
import rule81 from './suricata_nonhttp_traffic_on_tcp_port_80.json';
|
||||
import rule82 from './windows_misc_lolbin_connecting_to_the_internet.json';
|
||||
import rule83 from './linux_strace_activity.json';
|
||||
import rule84 from './suricata_directory_reversal_characters_in_an_http_request.json';
|
||||
import rule85 from './suricata_dns_traffic_on_unusual_udp_port.json';
|
||||
import rule86 from './network_telnet_port_activity.json';
|
||||
import rule87 from './suricata_directory_traversal_in_downloaded_zip_file.json';
|
||||
import rule88 from './windows_execution_via_microsoft_html_application_hta.json';
|
||||
import rule89 from './windows_credential_dumping_commands.json';
|
||||
import rule90 from './windows_net_command_activity_by_the_system_account.json';
|
||||
import rule91 from './windows_register_server_program_connecting_to_the_internet.json';
|
||||
import rule92 from './linux_java_process_connecting_to_the_internet.json';
|
||||
import rule93 from './suricata_imap_traffic_on_unusual_port_internet_destination.json';
|
||||
import rule94 from './suricata_double_encoded_characters_in_a_uri.json';
|
||||
import rule95 from './network_tor_activity_to_the_internet.json';
|
||||
import rule96 from './windows_registry_query_local.json';
|
||||
import rule97 from './linux_netcat_network_connection.json';
|
||||
import rule98 from './windows_defense_evasion_via_filter_manager.json';
|
||||
import rule99 from './suricata_nondns_traffic_on_udp_port_53.json';
|
||||
import rule100 from './suricata_double_encoded_characters_in_an_http_post.json';
|
||||
import rule101 from './command_shell_started_by_internet_explorer.json';
|
||||
import rule102 from './network_vnc_virtual_network_computing_from_the_internet.json';
|
||||
import rule103 from './windows_nmap_activity.json';
|
||||
import rule104 from './suspicious_process_started_by_a_script.json';
|
||||
import rule105 from './windows_network_anomalous_windows_process_using_https_ports.json';
|
||||
import rule106 from './powershell_network_connection.json';
|
||||
import rule107 from './windows_signed_binary_proxy_execution.json';
|
||||
import rule108 from './linux_kernel_module_activity.json';
|
||||
import rule109 from './network_vnc_virtual_network_computing_to_the_internet.json';
|
||||
import rule110 from './suricata_mimikatz_string_detected_in_http_response.json';
|
||||
import rule111 from './command_shell_started_by_svchost.json';
|
||||
import rule112 from './linux_tcpdump_activity.json';
|
||||
import rule113 from './process_started_by_ms_office_program_possible_payload.json';
|
||||
import rule114 from './windows_signed_binary_proxy_execution_download.json';
|
||||
import rule115 from './suricata_base64_encoded_startprocess_powershell_execution.json';
|
||||
import rule116 from './suricata_base64_encoded_invokecommand_powershell_execution.json';
|
||||
import rule117 from './suricata_directory_traversal_characters_in_http_response.json';
|
||||
import rule118 from './windows_microsoft_html_application_hta_connecting_to_the_internet.json';
|
||||
import rule119 from './suricata_tls_traffic_on_unusual_port_internet_destination.json';
|
||||
import rule120 from './process_started_by_acrobat_reader_possible_payload.json';
|
||||
import rule121 from './suricata_http_traffic_on_unusual_port_internet_destination.json';
|
||||
import rule122 from './windows_persistence_via_modification_of_existing_service.json';
|
||||
import rule123 from './windows_defense_evasion_or_persistence_via_hidden_files.json';
|
||||
import rule124 from './windows_execution_via_compiled_html_file.json';
|
||||
import rule125 from './linux_ptrace_activity.json';
|
||||
import rule126 from './suricata_nonimap_traffic_on_port_1443_imap.json';
|
||||
import rule127 from './windows_scheduled_task_activity.json';
|
||||
import rule128 from './suricata_ftp_traffic_on_unusual_port_internet_destination.json';
|
||||
import rule129 from './windows_wireshark_activity.json';
|
||||
import rule130 from './windows_execution_via_trusted_developer_utilities.json';
|
||||
import rule131 from './suricata_rpc_traffic_on_http_ports.json';
|
||||
import rule132 from './windows_process_discovery_via_tasklist_command.json';
|
||||
import rule133 from './suricata_cobaltstrike_artifact_in_an_dns_request.json';
|
||||
import rule134 from './suricata_serialized_php_detected.json';
|
||||
import rule135 from './windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json';
|
||||
import rule136 from './windows_registry_query_network.json';
|
||||
import rule137 from './windows_persistence_via_application_shimming.json';
|
||||
import rule138 from './network_proxy_port_activity_to_the_internet.json';
|
||||
import rule139 from './windows_whoami_command_activity.json';
|
||||
import rule140 from './suricata_shell_exec_php_function_in_an_http_post.json';
|
||||
import rule141 from './windump_activity.json';
|
||||
import rule142 from './windows_management_instrumentation_wmi_execution.json';
|
||||
import rule143 from './network_rdp_remote_desktop_protocol_from_the_internet.json';
|
||||
import rule144 from './windows_priv_escalation_via_accessibility_features.json';
|
||||
import rule145 from './psexec_activity.json';
|
||||
import rule146 from './linux_rawshark_activity.json';
|
||||
import rule147 from './suricata_nonftp_traffic_on_port_21.json';
|
||||
import rule148 from './network_ftp_file_transfer_protocol_activity_to_the_internet.json';
|
||||
import rule149 from './windows_certutil_connecting_to_the_internet.json';
|
||||
import rule150 from './suricata_nonsmb_traffic_on_tcp_port_139_smb.json';
|
||||
import rule151 from './network_rdp_remote_desktop_protocol_to_the_internet.json';
|
||||
import rule152 from './linux_whoami_commmand.json';
|
||||
import rule153 from './windows_persistence_or_priv_escalation_via_hooking.json';
|
||||
import rule154 from './linux_lzop_activity_possible_julianrunnels.json';
|
||||
import rule155 from './suricata_nontls_on_tls_port.json';
|
||||
import rule156 from './network_irc_internet_relay_chat_protocol_activity_to_the_internet.json';
|
||||
import rule157 from './linux_network_anomalous_process_using_https_ports.json';
|
||||
import rule158 from './windows_credential_dumping_via_registry_save.json';
|
||||
import rule159 from './network_rpc_remote_procedure_call_from_the_internet.json';
|
||||
import rule160 from './windows_credential_dumping_via_imageload.json';
|
||||
import rule161 from './windows_burp_ce_activity.json';
|
||||
import rule162 from './linux_hping_activity.json';
|
||||
import rule163 from './windows_command_prompt_connecting_to_the_internet.json';
|
||||
import rule164 from './network_nat_traversal_port_activity.json';
|
||||
import rule165 from './network_rpc_remote_procedure_call_to_the_internet.json';
|
||||
import rule166 from './suricata_possible_cobalt_strike_malleable_c2_null_response.json';
|
||||
import rule167 from './windows_remote_management_execution.json';
|
||||
import rule168 from './suricata_lazagne_artifact_in_an_http_post.json';
|
||||
import rule169 from './windows_netcat_network_activity.json';
|
||||
import rule170 from './windows_iodine_activity.json';
|
||||
import rule171 from './network_port_26_activity.json';
|
||||
import rule172 from './windows_execution_via_connection_manager.json';
|
||||
import rule173 from './linux_process_started_in_temp_directory.json';
|
||||
import rule174 from './suricata_eval_php_function_in_an_http_request.json';
|
||||
import rule175 from './linux_web_download.json';
|
||||
import rule176 from './suricata_ssh_traffic_not_on_port_22_internet_destination.json';
|
||||
import rule177 from './network_port_8000_activity.json';
|
||||
import rule178 from './windows_process_started_by_the_java_runtime.json';
|
||||
import rule179 from './suricata_possible_sql_injection_sql_commands_in_http_transactions.json';
|
||||
import rule180 from './network_smb_windows_file_sharing_activity_to_the_internet.json';
|
||||
import rule181 from './network_port_8000_activity_to_the_internet.json';
|
||||
import rule182 from './command_shell_started_by_powershell.json';
|
||||
import rule183 from './linux_nmap_activity.json';
|
||||
import rule184 from './search_windows_10.json';
|
||||
import rule185 from './network_smtp_to_the_internet.json';
|
||||
import rule186 from './windows_payload_obfuscation_via_certutil.json';
|
||||
import rule187 from './network_pptp_point_to_point_tunneling_protocol_activity.json';
|
||||
import rule188 from './linux_unusual_shell_activity.json';
|
||||
import rule189 from './linux_mknod_activity.json';
|
||||
import rule190 from './network_sql_server_port_activity_to_the_internet.json';
|
||||
import rule191 from './suricata_commonly_abused_dns_domain_detected.json';
|
||||
import rule192 from './linux_iodine_activity.json';
|
||||
import rule193 from './suricata_mimikatz_artifacts_in_an_http_post.json';
|
||||
import rule194 from './windows_execution_via_net_com_assemblies.json';
|
||||
import rule195 from './suricata_dns_traffic_on_unusual_tcp_port.json';
|
||||
import rule196 from './suricata_base64_encoded_newobject_powershell_execution.json';
|
||||
import rule197 from './windows_netcat_activity.json';
|
||||
import rule198 from './windows_persistence_via_bits_jobs.json';
|
||||
import rule199 from './linux_nping_activity.json';
|
||||
import rule200 from './windows_execution_via_regsvr32.json';
|
||||
import rule201 from './process_started_by_windows_defender.json';
|
||||
import rule202 from './windows_indirect_command_execution.json';
|
||||
import rule203 from './network_ssh_secure_shell_from_the_internet.json';
|
||||
import rule204 from './windows_html_help_executable_program_connecting_to_the_internet.json';
|
||||
import rule205 from './suricata_windows_executable_served_by_jpeg_web_content.json';
|
||||
import rule206 from './network_dns_directly_to_the_internet.json';
|
||||
import rule207 from './windows_defense_evasion_via_windows_event_log_tools.json';
|
||||
import rule208 from './suricata_nondns_traffic_on_tcp_port_53.json';
|
||||
import rule209 from './windows_persistence_via_netshell_helper_dll.json';
|
||||
import rule210 from './windows_script_interpreter_connecting_to_the_internet.json';
|
||||
import rule211 from './windows_defense_evasion_decoding_using_certutil.json';
|
||||
import rule212 from './linux_shell_activity_by_web_server.json';
|
||||
import rule213 from './linux_ldso_process_activity.json';
|
||||
import rule214 from './windows_mimikatz_activity.json';
|
||||
import rule215 from './suricata_nonssh_traffic_on_port_22.json';
|
||||
import rule216 from './windows_data_compression_using_powershell.json';
|
||||
import rule217 from './windows_nmap_scan_activity.json';
|
||||
import rule35 from './zeek_notice_signaturesmultiple_sig_responders.json';
|
||||
import rule36 from './zeek_notice_packetfiltercompile_failure.json';
|
||||
import rule37 from './zeek_notice_signaturescount_signature.json';
|
||||
import rule38 from './zeek_notice_signaturesmultiple_signatures.json';
|
||||
import rule39 from './zeek_notice_signaturessignature_summary.json';
|
||||
import rule40 from './zeek_notice_signaturessensitive_signature.json';
|
||||
import rule41 from './zeek_notice_packetfilterinstall_failure.json';
|
||||
import rule42 from './zeek_notice_weirdactivity.json';
|
||||
import rule43 from './zeek_notice_noticetally.json';
|
||||
import rule44 from './zeek_notice_packetfilterno_more_conn_shunts_available.json';
|
||||
import rule45 from './zeek_notice_packetfiltercannot_bpf_shunt_conn.json';
|
||||
import rule46 from './zeek_notice_teamcymrumalwarehashregistrymatch.json';
|
||||
import rule47 from './zeek_notice_softwaresoftware_version_change.json';
|
||||
import rule48 from './zeek_notice_protocoldetectorserver_found.json';
|
||||
import rule49 from './zeek_notice_packetfiltertoo_long_to_compile_filter.json';
|
||||
import rule50 from './zeek_notice_protocoldetectorprotocol_found.json';
|
||||
import rule51 from './zeek_notice_intelnotice.json';
|
||||
import rule52 from './zeek_notice_packetfilterdropped_packets.json';
|
||||
import rule53 from './zeek_notice_scanaddress_scan.json';
|
||||
import rule54 from './zeek_notice_ftpbruteforcing.json';
|
||||
import rule55 from './zeek_notice_scanport_scan.json';
|
||||
import rule56 from './zeek_notice_dnsexternal_name.json';
|
||||
import rule57 from './zeek_notice_capturelosstoo_much_loss.json';
|
||||
import rule58 from './zeek_notice_softwarevulnerable_version.json';
|
||||
import rule59 from './zeek_notice_connretransmission_inconsistency.json';
|
||||
import rule60 from './zeek_notice_traceroutedetected.json';
|
||||
import rule61 from './zeek_notice_conncontent_gap.json';
|
||||
import rule62 from './zeek_notice_smtpblocklist_blocked_host.json';
|
||||
import rule63 from './zeek_notice_httpsql_injection_victim.json';
|
||||
import rule64 from './zeek_notice_sshlogin_by_password_guesser.json';
|
||||
import rule65 from './zeek_notice_sshpassword_guessing.json';
|
||||
import rule66 from './zeek_notice_sshwatched_country_login.json';
|
||||
import rule67 from './zeek_notice_ftpsite_exec_success.json';
|
||||
import rule68 from './zeek_notice_smtpsuspicious_origination.json';
|
||||
import rule69 from './zeek_notice_httpsql_injection_attacker.json';
|
||||
import rule70 from './zeek_notice_smtpblocklist_error_message.json';
|
||||
import rule71 from './zeek_notice_sshinteresting_hostname_login.json';
|
||||
import rule72 from './zeek_notice_sslinvalid_server_cert.json';
|
||||
import rule73 from './zeek_notice_heartbleedssl_heartbeat_many_requests.json';
|
||||
import rule74 from './zeek_notice_heartbleedssl_heartbeat_odd_length.json';
|
||||
import rule75 from './zeek_notice_sslcertificate_expired.json';
|
||||
import rule76 from './zeek_notice_sslcertificate_expires_soon.json';
|
||||
import rule77 from './zeek_notice_heartbleedssl_heartbeat_attack_success.json';
|
||||
import rule78 from './zeek_notice_sslcertificate_not_valid_yet.json';
|
||||
import rule79 from './zeek_notice_heartbleedssl_heartbeat_attack.json';
|
||||
import rule80 from './zeek_notice_sslinvalid_ocsp_response.json';
|
||||
import rule81 from './zeek_notice_sslweak_key.json';
|
||||
import rule82 from './zeek_notice_sslold_version.json';
|
||||
import rule83 from './zeek_notice_sslweak_cipher.json';
|
||||
import rule84 from './suricata_category_large_scale_information_leak.json';
|
||||
import rule85 from './suricata_category_attempted_information_leak.json';
|
||||
import rule86 from './suricata_category_not_suspicious_traffic.json';
|
||||
import rule87 from './suricata_category_potentially_bad_traffic.json';
|
||||
import rule88 from './suricata_category_information_leak.json';
|
||||
import rule89 from './suricata_category_unknown_traffic.json';
|
||||
import rule90 from './suricata_category_successful_administrator_privilege_gain.json';
|
||||
import rule91 from './suricata_category_attempted_administrator_privilege_gain.json';
|
||||
import rule92 from './suricata_category_unsuccessful_user_privilege_gain.json';
|
||||
import rule93 from './suricata_category_successful_user_privilege_gain.json';
|
||||
import rule94 from './suricata_category_attempted_user_privilege_gain.json';
|
||||
import rule95 from './suricata_category_attempted_denial_of_service.json';
|
||||
import rule96 from './suricata_category_decode_of_an_rpc_query.json';
|
||||
import rule97 from './suricata_category_denial_of_service.json';
|
||||
import rule98 from './suricata_category_attempted_login_with_suspicious_username.json';
|
||||
import rule99 from './suricata_category_client_using_unusual_port.json';
|
||||
import rule100 from './suricata_category_suspicious_filename_detected.json';
|
||||
import rule101 from './suricata_category_a_suspicious_string_was_detected.json';
|
||||
import rule102 from './suricata_category_tcp_connection_detected.json';
|
||||
import rule103 from './suricata_category_executable_code_was_detected.json';
|
||||
import rule104 from './suricata_category_network_trojan_detected.json';
|
||||
import rule105 from './suricata_category_system_call_detected.json';
|
||||
import rule106 from './suricata_category_potentially_vulnerable_web_application_access.json';
|
||||
import rule107 from './suricata_category_nonstandard_protocol_or_event.json';
|
||||
import rule108 from './suricata_category_denial_of_service_attack.json';
|
||||
import rule109 from './suricata_category_generic_protocol_command_decode.json';
|
||||
import rule110 from './suricata_category_network_scan_detected.json';
|
||||
import rule111 from './suricata_category_web_application_attack.json';
|
||||
import rule112 from './suricata_category_generic_icmp_event.json';
|
||||
import rule113 from './suricata_category_misc_attack.json';
|
||||
import rule114 from './suricata_category_default_username_and_password_login_attempt.json';
|
||||
import rule115 from './suricata_category_external_ip_address_retrieval.json';
|
||||
import rule116 from './suricata_category_potential_corporate_privacy_violation.json';
|
||||
import rule117 from './suricata_category_targeted_malicious_activity.json';
|
||||
import rule118 from './suricata_category_observed_c2_domain.json';
|
||||
import rule119 from './suricata_category_exploit_kit_activity.json';
|
||||
import rule120 from './suricata_category_possibly_unwanted_program.json';
|
||||
import rule121 from './suricata_category_successful_credential_theft.json';
|
||||
import rule122 from './suricata_category_possible_social_engineering_attempted.json';
|
||||
import rule123 from './suricata_category_crypto_currency_mining_activity.json';
|
||||
import rule124 from './suricata_category_malware_command_and_control_activity.json';
|
||||
import rule125 from './suricata_category_misc_activity.json';
|
||||
import rule126 from './windows_powershell_connecting_to_the_internet.json';
|
||||
import rule127 from './windows_net_user_command_activity.json';
|
||||
import rule128 from './windows_image_load_from_a_temp_directory.json';
|
||||
import rule129 from './network_ssh_secure_shell_to_the_internet.json';
|
||||
import rule130 from './suricata_nonhttp_traffic_on_tcp_port_80.json';
|
||||
import rule131 from './windows_misc_lolbin_connecting_to_the_internet.json';
|
||||
import rule132 from './linux_strace_activity.json';
|
||||
import rule133 from './suricata_directory_reversal_characters_in_an_http_request.json';
|
||||
import rule134 from './suricata_dns_traffic_on_unusual_udp_port.json';
|
||||
import rule135 from './network_telnet_port_activity.json';
|
||||
import rule136 from './suricata_directory_traversal_in_downloaded_zip_file.json';
|
||||
import rule137 from './windows_execution_via_microsoft_html_application_hta.json';
|
||||
import rule138 from './windows_credential_dumping_commands.json';
|
||||
import rule139 from './windows_net_command_activity_by_the_system_account.json';
|
||||
import rule140 from './windows_register_server_program_connecting_to_the_internet.json';
|
||||
import rule141 from './linux_java_process_connecting_to_the_internet.json';
|
||||
import rule142 from './suricata_imap_traffic_on_unusual_port_internet_destination.json';
|
||||
import rule143 from './suricata_double_encoded_characters_in_a_uri.json';
|
||||
import rule144 from './network_tor_activity_to_the_internet.json';
|
||||
import rule145 from './windows_registry_query_local.json';
|
||||
import rule146 from './linux_netcat_network_connection.json';
|
||||
import rule147 from './windows_defense_evasion_via_filter_manager.json';
|
||||
import rule148 from './suricata_nondns_traffic_on_udp_port_53.json';
|
||||
import rule149 from './suricata_double_encoded_characters_in_an_http_post.json';
|
||||
import rule150 from './command_shell_started_by_internet_explorer.json';
|
||||
import rule151 from './network_vnc_virtual_network_computing_from_the_internet.json';
|
||||
import rule152 from './windows_nmap_activity.json';
|
||||
import rule153 from './suspicious_process_started_by_a_script.json';
|
||||
import rule154 from './windows_network_anomalous_windows_process_using_https_ports.json';
|
||||
import rule155 from './powershell_network_connection.json';
|
||||
import rule156 from './windows_signed_binary_proxy_execution.json';
|
||||
import rule157 from './linux_kernel_module_activity.json';
|
||||
import rule158 from './network_vnc_virtual_network_computing_to_the_internet.json';
|
||||
import rule159 from './suricata_mimikatz_string_detected_in_http_response.json';
|
||||
import rule160 from './command_shell_started_by_svchost.json';
|
||||
import rule161 from './linux_tcpdump_activity.json';
|
||||
import rule162 from './process_started_by_ms_office_program_possible_payload.json';
|
||||
import rule163 from './windows_signed_binary_proxy_execution_download.json';
|
||||
import rule164 from './suricata_base64_encoded_startprocess_powershell_execution.json';
|
||||
import rule165 from './suricata_base64_encoded_invokecommand_powershell_execution.json';
|
||||
import rule166 from './suricata_directory_traversal_characters_in_http_response.json';
|
||||
import rule167 from './windows_microsoft_html_application_hta_connecting_to_the_internet.json';
|
||||
import rule168 from './suricata_tls_traffic_on_unusual_port_internet_destination.json';
|
||||
import rule169 from './process_started_by_acrobat_reader_possible_payload.json';
|
||||
import rule170 from './suricata_http_traffic_on_unusual_port_internet_destination.json';
|
||||
import rule171 from './windows_persistence_via_modification_of_existing_service.json';
|
||||
import rule172 from './windows_defense_evasion_or_persistence_via_hidden_files.json';
|
||||
import rule173 from './windows_execution_via_compiled_html_file.json';
|
||||
import rule174 from './linux_ptrace_activity.json';
|
||||
import rule175 from './suricata_nonimap_traffic_on_port_1443_imap.json';
|
||||
import rule176 from './windows_scheduled_task_activity.json';
|
||||
import rule177 from './suricata_ftp_traffic_on_unusual_port_internet_destination.json';
|
||||
import rule178 from './windows_wireshark_activity.json';
|
||||
import rule179 from './windows_execution_via_trusted_developer_utilities.json';
|
||||
import rule180 from './suricata_rpc_traffic_on_http_ports.json';
|
||||
import rule181 from './windows_process_discovery_via_tasklist_command.json';
|
||||
import rule182 from './suricata_cobaltstrike_artifact_in_an_dns_request.json';
|
||||
import rule183 from './suricata_serialized_php_detected.json';
|
||||
import rule184 from './windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json';
|
||||
import rule185 from './windows_registry_query_network.json';
|
||||
import rule186 from './windows_persistence_via_application_shimming.json';
|
||||
import rule187 from './network_proxy_port_activity_to_the_internet.json';
|
||||
import rule188 from './windows_whoami_command_activity.json';
|
||||
import rule189 from './suricata_shell_exec_php_function_in_an_http_post.json';
|
||||
import rule190 from './windump_activity.json';
|
||||
import rule191 from './windows_management_instrumentation_wmi_execution.json';
|
||||
import rule192 from './network_rdp_remote_desktop_protocol_from_the_internet.json';
|
||||
import rule193 from './windows_priv_escalation_via_accessibility_features.json';
|
||||
import rule194 from './psexec_activity.json';
|
||||
import rule195 from './linux_rawshark_activity.json';
|
||||
import rule196 from './suricata_nonftp_traffic_on_port_21.json';
|
||||
import rule197 from './network_ftp_file_transfer_protocol_activity_to_the_internet.json';
|
||||
import rule198 from './windows_certutil_connecting_to_the_internet.json';
|
||||
import rule199 from './suricata_nonsmb_traffic_on_tcp_port_139_smb.json';
|
||||
import rule200 from './network_rdp_remote_desktop_protocol_to_the_internet.json';
|
||||
import rule201 from './linux_whoami_commmand.json';
|
||||
import rule202 from './windows_persistence_or_priv_escalation_via_hooking.json';
|
||||
import rule203 from './linux_lzop_activity_possible_julianrunnels.json';
|
||||
import rule204 from './suricata_nontls_on_tls_port.json';
|
||||
import rule205 from './network_irc_internet_relay_chat_protocol_activity_to_the_internet.json';
|
||||
import rule206 from './linux_network_anomalous_process_using_https_ports.json';
|
||||
import rule207 from './windows_credential_dumping_via_registry_save.json';
|
||||
import rule208 from './network_rpc_remote_procedure_call_from_the_internet.json';
|
||||
import rule209 from './windows_credential_dumping_via_imageload.json';
|
||||
import rule210 from './windows_burp_ce_activity.json';
|
||||
import rule211 from './linux_hping_activity.json';
|
||||
import rule212 from './windows_command_prompt_connecting_to_the_internet.json';
|
||||
import rule213 from './network_nat_traversal_port_activity.json';
|
||||
import rule214 from './network_rpc_remote_procedure_call_to_the_internet.json';
|
||||
import rule215 from './suricata_possible_cobalt_strike_malleable_c2_null_response.json';
|
||||
import rule216 from './windows_remote_management_execution.json';
|
||||
import rule217 from './suricata_lazagne_artifact_in_an_http_post.json';
|
||||
import rule218 from './windows_netcat_network_activity.json';
|
||||
import rule219 from './windows_iodine_activity.json';
|
||||
import rule220 from './network_port_26_activity.json';
|
||||
import rule221 from './windows_execution_via_connection_manager.json';
|
||||
import rule222 from './linux_process_started_in_temp_directory.json';
|
||||
import rule223 from './suricata_eval_php_function_in_an_http_request.json';
|
||||
import rule224 from './linux_web_download.json';
|
||||
import rule225 from './suricata_ssh_traffic_not_on_port_22_internet_destination.json';
|
||||
import rule226 from './network_port_8000_activity.json';
|
||||
import rule227 from './windows_process_started_by_the_java_runtime.json';
|
||||
import rule228 from './suricata_possible_sql_injection_sql_commands_in_http_transactions.json';
|
||||
import rule229 from './network_smb_windows_file_sharing_activity_to_the_internet.json';
|
||||
import rule230 from './network_port_8000_activity_to_the_internet.json';
|
||||
import rule231 from './command_shell_started_by_powershell.json';
|
||||
import rule232 from './linux_nmap_activity.json';
|
||||
import rule233 from './search_windows_10.json';
|
||||
import rule234 from './network_smtp_to_the_internet.json';
|
||||
import rule235 from './windows_payload_obfuscation_via_certutil.json';
|
||||
import rule236 from './network_pptp_point_to_point_tunneling_protocol_activity.json';
|
||||
import rule237 from './linux_unusual_shell_activity.json';
|
||||
import rule238 from './linux_mknod_activity.json';
|
||||
import rule239 from './network_sql_server_port_activity_to_the_internet.json';
|
||||
import rule240 from './suricata_commonly_abused_dns_domain_detected.json';
|
||||
import rule241 from './linux_iodine_activity.json';
|
||||
import rule242 from './suricata_mimikatz_artifacts_in_an_http_post.json';
|
||||
import rule243 from './windows_execution_via_net_com_assemblies.json';
|
||||
import rule244 from './suricata_dns_traffic_on_unusual_tcp_port.json';
|
||||
import rule245 from './suricata_base64_encoded_newobject_powershell_execution.json';
|
||||
import rule246 from './windows_netcat_activity.json';
|
||||
import rule247 from './windows_persistence_via_bits_jobs.json';
|
||||
import rule248 from './linux_nping_activity.json';
|
||||
import rule249 from './windows_execution_via_regsvr32.json';
|
||||
import rule250 from './process_started_by_windows_defender.json';
|
||||
import rule251 from './windows_indirect_command_execution.json';
|
||||
import rule252 from './network_ssh_secure_shell_from_the_internet.json';
|
||||
import rule253 from './windows_html_help_executable_program_connecting_to_the_internet.json';
|
||||
import rule254 from './suricata_windows_executable_served_by_jpeg_web_content.json';
|
||||
import rule255 from './network_dns_directly_to_the_internet.json';
|
||||
import rule256 from './windows_defense_evasion_via_windows_event_log_tools.json';
|
||||
import rule257 from './suricata_nondns_traffic_on_tcp_port_53.json';
|
||||
import rule258 from './windows_persistence_via_netshell_helper_dll.json';
|
||||
import rule259 from './windows_script_interpreter_connecting_to_the_internet.json';
|
||||
import rule260 from './windows_defense_evasion_decoding_using_certutil.json';
|
||||
import rule261 from './linux_shell_activity_by_web_server.json';
|
||||
import rule262 from './linux_ldso_process_activity.json';
|
||||
import rule263 from './windows_mimikatz_activity.json';
|
||||
import rule264 from './suricata_nonssh_traffic_on_port_22.json';
|
||||
import rule265 from './windows_data_compression_using_powershell.json';
|
||||
import rule266 from './windows_nmap_scan_activity.json';
|
||||
|
||||
export const rawRules = [
|
||||
rule1,
|
||||
|
|
@ -443,4 +492,53 @@ export const rawRules = [
|
|||
rule215,
|
||||
rule216,
|
||||
rule217,
|
||||
rule218,
|
||||
rule219,
|
||||
rule220,
|
||||
rule221,
|
||||
rule222,
|
||||
rule223,
|
||||
rule224,
|
||||
rule225,
|
||||
rule226,
|
||||
rule227,
|
||||
rule228,
|
||||
rule229,
|
||||
rule230,
|
||||
rule231,
|
||||
rule232,
|
||||
rule233,
|
||||
rule234,
|
||||
rule235,
|
||||
rule236,
|
||||
rule237,
|
||||
rule238,
|
||||
rule239,
|
||||
rule240,
|
||||
rule241,
|
||||
rule242,
|
||||
rule243,
|
||||
rule244,
|
||||
rule245,
|
||||
rule246,
|
||||
rule247,
|
||||
rule248,
|
||||
rule249,
|
||||
rule250,
|
||||
rule251,
|
||||
rule252,
|
||||
rule253,
|
||||
rule254,
|
||||
rule255,
|
||||
rule256,
|
||||
rule257,
|
||||
rule258,
|
||||
rule259,
|
||||
rule260,
|
||||
rule261,
|
||||
rule262,
|
||||
rule263,
|
||||
rule264,
|
||||
rule265,
|
||||
rule266,
|
||||
];
|
||||
|
|
|
|||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "c115a407-799b-45d6-962e-a639bb764c06",
|
||||
"risk_score": 50,
|
||||
"description": "Detected Zeek capture loss exceeds the percentage threshold",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice CaptureLoss::Too_Much_Loss",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"CaptureLoss::Too_Much_Loss\" or rule.name: \"CaptureLoss::Too_Much_Loss\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "22d12b64-33f4-40ce-ad57-49dd870bc8e5",
|
||||
"risk_score": 50,
|
||||
"description": "Data has sequence hole; perhaps due to filtering.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice Conn::Content_Gap",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Conn::Content_Gap\" or rule.name: \"Conn::Content_Gap\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "53719624-55f0-4541-8370-f27f6766fb9e",
|
||||
"risk_score": 50,
|
||||
"description": "Possible evasion; usually just chud.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice Conn::Retransmission_Inconsistency",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Conn::Retransmission_Inconsistency\" or rule.name: \"Conn::Retransmission_Inconsistency\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "39c40c5a-110c-45b1-876f-969212e8814b",
|
||||
"risk_score": 50,
|
||||
"description": "Raised when a non-local name is found to be pointing at a local host.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice DNS::External_Name",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"DNS::External_Name\" or rule.name: \"DNS::External_Name\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "7e069475-817e-4e89-9245-1dfaa3083b11",
|
||||
"risk_score": 50,
|
||||
"description": "Indicates a host bruteforcing FTP logins by watching for too many rejected usernames or failed passwords.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice FTP::Bruteforcing",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"FTP::Bruteforcing\" or rule.name: \"FTP::Bruteforcing\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "4b9cb3e9-e26a-4bd2-bd1f-8d451b49838f",
|
||||
"risk_score": 50,
|
||||
"description": "Indicates that a successful response to a “SITE EXEC” command/arg pair was seen.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice FTP::Site_Exec_Success",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"FTP::Site_Exec_Success\" or rule.name: \"FTP::Site_Exec_Success\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "68a33102-3680-4581-a48a-210b23925905",
|
||||
"risk_score": 50,
|
||||
"description": "Indicates that a host performed a heartbleed attack or scan.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice Heartbleed::SSL_Heartbeat_Attack",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Heartbleed::SSL_Heartbeat_Attack\" or rule.name: \"Heartbleed::SSL_Heartbeat_Attack\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "241a61ae-b385-4f36-96c4-b2fb5446cc43",
|
||||
"risk_score": 50,
|
||||
"description": "Indicates that a host performing a heartbleed attack was probably successful.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice Heartbleed::SSL_Heartbeat_Attack_Success",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Heartbleed::SSL_Heartbeat_Attack_Success\" or rule.name: \"Heartbleed::SSL_Heartbeat_Attack_Success\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "59d6a32c-753e-4c19-bb77-1befdc6e0e6a",
|
||||
"risk_score": 50,
|
||||
"description": "Indicates we saw many heartbeat requests without a reply. Might be an attack.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice Heartbleed::SSL_Heartbeat_Many_Requests",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Heartbleed::SSL_Heartbeat_Many_Requests\" or rule.name: \"Heartbleed::SSL_Heartbeat_Many_Requests\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "0c6e7be4-6cab-4ee1-ad51-7c1ffd0e9002",
|
||||
"risk_score": 50,
|
||||
"description": "Indicates we saw heartbeat requests with odd length. Probably an attack or scan.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice Heartbleed::SSL_Heartbeat_Odd_Length",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Heartbleed::SSL_Heartbeat_Odd_Length\" or rule.name: \"Heartbleed::SSL_Heartbeat_Odd_Length\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "4ca9ef93-7e7e-40a4-8d71-9130204d86e6",
|
||||
"risk_score": 50,
|
||||
"description": "Indicates that a host performing SQL injection attacks was detected.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice HTTP::SQL_Injection_Attacker",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"HTTP::SQL_Injection_Attacker\" or rule.name: \"HTTP::SQL_Injection_Attacker\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "dda43d7f-69bc-487f-b05c-2b518e9db622",
|
||||
"risk_score": 50,
|
||||
"description": "Indicates that a host was seen to have SQL injection attacks against it. This is tracked by IP address as opposed to hostname.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice HTTP::SQL_Injection_Victim",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"HTTP::SQL_Injection_Victim\" or rule.name: \"HTTP::SQL_Injection_Victim\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "122e153a-78f3-4e7e-a5b5-cfe0b917f109",
|
||||
"risk_score": 50,
|
||||
"description": "This notice is generated when an intelligence indicator is denoted to be notice-worthy.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice Intel::Notice",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Intel::Notice\" or rule.name: \"Intel::Notice\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "7581fd81-25e8-489e-bcf3-69db068b7a6c",
|
||||
"risk_score": 50,
|
||||
"description": "Zeek notice reporting a count of how often a notice occurred.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice Notice::Tally",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Notice::Tally\" or rule.name: \"Notice::Tally\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "0031d83e-1fb4-4dd6-b938-97ae7044b051",
|
||||
"risk_score": 50,
|
||||
"description": "Limitations in BPF make shunting some connections with BPF impossible. This notice encompasses those various cases.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice PacketFilter::Cannot_BPF_Shunt_Conn",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::Cannot_BPF_Shunt_Conn\" or rule.name: \"PacketFilter::Cannot_BPF_Shunt_Conn\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "335b2ddc-f806-46e8-8ffa-114d613aac92",
|
||||
"risk_score": 50,
|
||||
"description": "This notice is generated if a packet filter cannot be compiled.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice PacketFilter::Compile_Failure",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::Compile_Failure\" or rule.name: \"PacketFilter::Compile_Failure\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "4f212278-329b-4088-ae59-9091003dff22",
|
||||
"risk_score": 50,
|
||||
"description": "Indicates packets were dropped by the packet filter.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice PacketFilter::Dropped_Packets",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::Dropped_Packets\" or rule.name: \"PacketFilter::Dropped_Packets\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "235988ec-d037-4f5f-a211-74106512b36d",
|
||||
"risk_score": 50,
|
||||
"description": "Generated if a packet filter fails to install.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice PacketFilter::Install_Failure",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::Install_Failure\" or rule.name: \"PacketFilter::Install_Failure\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "de4016de-3374-41a0-a678-21d36c70af9a",
|
||||
"risk_score": 50,
|
||||
"description": "Indicative that PacketFilter::max_bpf_shunts connections are already being shunted with BPF filters and no more are allowed.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice PacketFilter::No_More_Conn_Shunts_Available",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::No_More_Conn_Shunts_Available\" or rule.name: \"PacketFilter::No_More_Conn_Shunts_Available\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "71e93c42-7990-4233-a8a5-2631193df7db",
|
||||
"risk_score": 50,
|
||||
"description": "Generated when a notice takes too long to compile.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice PacketFilter::Too_Long_To_Compile_Filter",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::Too_Long_To_Compile_Filter\" or rule.name: \"PacketFilter::Too_Long_To_Compile_Filter\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "777586b6-4757-489e-a6e8-676b7df70b39",
|
||||
"risk_score": 50,
|
||||
"description": "Indicates a protocol was detected on a non-standard port.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice ProtocolDetector::Protocol_Found",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"ProtocolDetector::Protocol_Found\" or rule.name: \"ProtocolDetector::Protocol_Found\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "7d7f7635-6900-4f63-b14b-477a909ea90a",
|
||||
"risk_score": 50,
|
||||
"description": "Indicates a server was detected on a non-standard port for the protocol.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice ProtocolDetector::Server_Found",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"ProtocolDetector::Server_Found\" or rule.name: \"ProtocolDetector::Server_Found\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "9d320fca-4ec1-4511-bdbc-7edf9673c07d",
|
||||
"risk_score": 50,
|
||||
"description": "Address scans detect that a host appears to be scanning some number of destinations on a single port.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice Scan::Address_Scan",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Scan::Address_Scan\" or rule.name: \"Scan::Address_Scan\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "d09fbf7a-47a7-4130-8dd7-b386cca81a42",
|
||||
"risk_score": 50,
|
||||
"description": "Port scans detect that an attacking host appears to be scanning a single victim host on several ports.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice Scan::Port_Scan",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Scan::Port_Scan\" or rule.name: \"Scan::Port_Scan\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "a704589c-8ba9-4a3c-8e39-ab9360cade17",
|
||||
"risk_score": 50,
|
||||
"description": "The same signature has triggered multiple times for a host.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice Signatures::Count_Signature",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Signatures::Count_Signature\" or rule.name: \"Signatures::Count_Signature\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "4f313ae8-cbc6-4082-9599-526f8ccb7303",
|
||||
"risk_score": 50,
|
||||
"description": "Host has triggered the same signature on multiple hosts.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice Signatures::Multiple_Sig_Responders",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Signatures::Multiple_Sig_Responders\" or rule.name: \"Signatures::Multiple_Sig_Responders\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "ab90d81c-79e1-4f62-a61e-484c4bedb2b0",
|
||||
"risk_score": 50,
|
||||
"description": "Host has triggered many signatures on the same host.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice Signatures::Multiple_Signatures",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Signatures::Multiple_Signatures\" or rule.name: \"Signatures::Multiple_Signatures\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "ac394dec-67e8-417f-bb06-ae0bd75556b0",
|
||||
"risk_score": 50,
|
||||
"description": "Generic notice type for notice-worthy signature matches.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice Signatures::Sensitive_Signature",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Signatures::Sensitive_Signature\" or rule.name: \"Signatures::Sensitive_Signature\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "d17fe857-eb67-4843-ab63-bf4852e49396",
|
||||
"risk_score": 50,
|
||||
"description": "Summarize the number of times a host triggered a signature.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice Signatures::Signature_Summary",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Signatures::Signature_Summary\" or rule.name: \"Signatures::Signature_Summary\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "402d5f78-82cd-4320-8b69-3185e44daf07",
|
||||
"risk_score": 50,
|
||||
"description": "The originator’s address is seen in the block list error message. This is useful to detect local hosts sending SPAM with a high positive rate.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice SMTP::Blocklist_Blocked_Host",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SMTP::Blocklist_Blocked_Host\" or rule.name: \"SMTP::Blocklist_Blocked_Host\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "b9bb4a93-8c5c-4942-9193-e2dc97230034",
|
||||
"risk_score": 50,
|
||||
"description": "An SMTP server sent a reply mentioning an SMTP block list.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice SMTP::Blocklist_Error_Message",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SMTP::Blocklist_Error_Message\" or rule.name: \"SMTP::Blocklist_Error_Message\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "cc6e9fef-d936-4faf-8936-e576c089d8b2",
|
||||
"risk_score": 50,
|
||||
"description": "SMTP message orignated from country or network configured to be suspicious.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice SMTP::Suspicious_Origination",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SMTP::Suspicious_Origination\" or rule.name: \"SMTP::Suspicious_Origination\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "ea1d2c1b-ecfe-42a5-bd0b-56c7a1bd8075",
|
||||
"risk_score": 50,
|
||||
"description": "Indicates that an interesting software application changed versions on a host.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice Software::Software_Version_Change",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Software::Software_Version_Change\" or rule.name: \"Software::Software_Version_Change\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "97b4d80c-7671-4301-85a6-954aa0ba96ce",
|
||||
"risk_score": 50,
|
||||
"description": "Indicates that a vulnerable version of software was detected.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice Software::Vulnerable_Version",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Software::Vulnerable_Version\" or rule.name: \"Software::Vulnerable_Version\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "6a7f2b0a-3f24-4d58-aa84-243f1f0556d9",
|
||||
"risk_score": 50,
|
||||
"description": "Generated if a login originates or responds with a host where the reverse hostname lookup resolves to a name matched by the SSH::interesting_hostnames regular expression.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice SSH::Interesting_Hostname_Login",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSH::Interesting_Hostname_Login\" or rule.name: \"SSH::Interesting_Hostname_Login\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "5600ad95-2244-43db-8a7d-77eea95f80db",
|
||||
"risk_score": 50,
|
||||
"description": "Indicates that a host previously identified as a \"password guesser\" has now had a successful login attempt.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice SSH::Login_By_Password_Guesser",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSH::Login_By_Password_Guesser\" or rule.name: \"SSH::Login_By_Password_Guesser\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "e278142a-4ee7-4443-9b1f-421174b0dabf",
|
||||
"risk_score": 50,
|
||||
"description": "Indicates that a host has been identified as crossing the SSH::password_guesses_limit threshold with failed logins.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice SSH::Password_Guessing",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSH::Password_Guessing\" or rule.name: \"SSH::Password_Guessing\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "983f4b7e-38cd-4d7f-8be6-40447431561e",
|
||||
"risk_score": 50,
|
||||
"description": "SSH login was seen to or from a \"watched\" country based on the SSH::watched_countries variable",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice SSH::Watched_Country_Login",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSH::Watched_Country_Login\" or rule.name: \"SSH::Watched_Country_Login\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "3981f48e-49a5-4a3e-9b44-900a0887526c",
|
||||
"risk_score": 50,
|
||||
"description": "Indicates that a certificate’s NotValidAfter date has lapsed and the certificate is now invalid.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice SSL::Certificate_Expired",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Certificate_Expired\" or rule.name: \"SSL::Certificate_Expired\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "e8207172-3478-4b2c-85b7-6f13d97fff43",
|
||||
"risk_score": 50,
|
||||
"description": "Indicates that a certificate is going to expire within SSL::notify_when_cert_expiring_in.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice SSL::Certificate_Expires_Soon",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Certificate_Expires_Soon\" or rule.name: \"SSL::Certificate_Expires_Soon\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "45586490-99f6-4e11-8228-2229d727a3b4",
|
||||
"risk_score": 50,
|
||||
"description": "Indicates that a certificate’s NotValidBefore date is future dated.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice SSL::Certificate_Not_Valid_Yet",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Certificate_Not_Valid_Yet\" or rule.name: \"SSL::Certificate_Not_Valid_Yet\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "eb17fcbb-de22-4aa0-81aa-1c059bdd4f2b",
|
||||
"risk_score": 50,
|
||||
"description": "This indicates that the OCSP response was not deemed to be valid.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice SSL::Invalid_Ocsp_Response",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Invalid_Ocsp_Response\" or rule.name: \"SSL::Invalid_Ocsp_Response\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "13f51fe0-fc74-4c45-90f3-6fb1cd26ec66",
|
||||
"risk_score": 50,
|
||||
"description": "This notice indicates that the result of validating the certificate along with its full certificate chain was invalid.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice SSL::Invalid_Server_Cert",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Invalid_Server_Cert\" or rule.name: \"SSL::Invalid_Server_Cert\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "260b680e-c3d6-4c03-90cd-03c86e9f8ec1",
|
||||
"risk_score": 50,
|
||||
"description": "Indicates that a server is using a potentially unsafe version",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice SSL::Old_Version",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Old_Version\" or rule.name: \"SSL::Old_Version\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "25886074-6ae1-41c0-8546-e8cf55ed1b4b",
|
||||
"risk_score": 50,
|
||||
"description": "Indicates that a server is using a potentially unsafe cipher",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice SSL::Weak_Cipher",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Weak_Cipher\" or rule.name: \"SSL::Weak_Cipher\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "e020f504-c0e5-4768-8e1f-1e2ec7bac961",
|
||||
"risk_score": 50,
|
||||
"description": "Indicates that a server is using a potentially unsafe key.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice SSL::Weak_Key",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Weak_Key\" or rule.name: \"SSL::Weak_Key\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "a130a0ba-b083-4630-b0ea-cceb80d7720b",
|
||||
"risk_score": 50,
|
||||
"description": "The hash value of a file transferred over HTTP matched in the malware hash registry.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice TeamCymruMalwareHashRegistry::Match",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"TeamCymruMalwareHashRegistry::Match\" or rule.name: \"TeamCymruMalwareHashRegistry::Match\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "aeefe077-f05d-44a7-b757-272fc51c334c",
|
||||
"risk_score": 50,
|
||||
"description": "Indicates that a host was seen running traceroutes.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice Traceroute::Detected",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Traceroute::Detected\" or rule.name: \"Traceroute::Detected\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"rule_id": "d5ad39d0-8421-4f79-ad93-8ddbf7f553b3",
|
||||
"risk_score": 50,
|
||||
"description": "Generic unusual but notice-worthy weird activity.",
|
||||
"immutable": true,
|
||||
"interval": "5m",
|
||||
"name": "Zeek Notice Weird::Activity",
|
||||
"severity": "low",
|
||||
"type": "query",
|
||||
"from": "now-6m",
|
||||
"to": "now",
|
||||
"query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Weird::Activity\" or rule.name: \"Weird::Activity\")",
|
||||
"language": "kuery",
|
||||
"filters": [],
|
||||
"enabled": false,
|
||||
"version": 1
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue