[SIEM][Detection Rules] Add 7.9 rules (#71332)

NOTICE.txt

@@ -147,6 +147,70 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
 
+---
+Detection Rules
+Copyright 2020 Elasticsearch B.V.
+
+---
+This product bundles rules based on https://github.com/BlueTeamLabs/sentinel-attack
+which is available under a "MIT" license. The files based on this license are:
+
+- defense_evasion_via_filter_manager
+- discovery_process_discovery_via_tasklist_command
+- persistence_priv_escalation_via_accessibility_features
+- persistence_via_application_shimming
+- defense_evasion_execution_via_trusted_developer_utilities
+
+MIT License
+
+Copyright (c) 2019 Edoardo Gerosa, Olaf Hartong
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is furnished to do
+so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+---
+This product bundles rules based on https://github.com/FSecureLABS/leonidas
+which is available under a "MIT" license. The files based on this license are:
+
+- credential_access_secretsmanager_getsecretvalue.toml
+
+MIT License
+
+Copyright (c) 2020 F-Secure LABS
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
 ---
 This product bundles bootstrap@3.3.6 which is available under a
 "MIT" license.
@@ -220,38 +284,6 @@ WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
----
-This product bundles rules based on https://github.com/BlueTeamLabs/sentinel-attack
-which is available under a "MIT" license. The files based on this license are:
-
-- windows_defense_evasion_via_filter_manager.json
-- windows_process_discovery_via_tasklist_command.json
-- windows_priv_escalation_via_accessibility_features.json
-- windows_persistence_via_application_shimming.json
-- windows_execution_via_trusted_developer_utilities.json
-
-MIT License
-
-Copyright (c) 2019 Edoardo Gerosa, Olaf Hartong
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of
-this software and associated documentation files (the "Software"), to deal in
-the Software without restriction, including without limitation the rights to
-use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
-of the Software, and to permit persons to whom the Software is furnished to do
-so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
-
 ---
 This product includes code that is adapted from mapbox-gl-js, which is
 available under a "BSD-3-Clause" license.

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_403_response_to_a_post.json

@@ -1,4 +1,7 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "A POST request to web application returned a 403 response, which indicates the web application declined to process the request because the action requested was not allowed",
   "false_positives": [
     "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
@@ -7,6 +10,7 @@
     "apm-*-transaction*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Web Application Suspicious Activity: POST Request Declined",
   "query": "http.response.status_code:403 and http.request.method:post",
   "references": [
@@ -20,5 +24,5 @@
     "Elastic"
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_405_response_method_not_allowed.json

@@ -1,4 +1,7 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "A request to web application returned a 405 response which indicates the web application declined to process the request because the HTTP method is not allowed for the resource",
   "false_positives": [
     "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
@@ -7,6 +10,7 @@
     "apm-*-transaction*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Web Application Suspicious Activity: Unauthorized Method",
   "query": "http.response.status_code:405",
   "references": [
@@ -20,5 +24,5 @@
     "Elastic"
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_null_user_agent.json

@@ -1,4 +1,7 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "A request to a web application server contained no identifying user agent string.",
   "false_positives": [
     "Some normal applications and scripts may contain no user agent. Most legitimate web requests from the Internet contain a user agent string. Requests from web browsers almost always contain a user agent string. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
@@ -25,6 +28,7 @@
     "apm-*-transaction*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Web Application Suspicious Activity: No User Agent",
   "query": "url.path:*",
   "references": [
@@ -38,5 +42,5 @@
     "Elastic"
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_sqlmap_user_agent.json

@@ -1,4 +1,7 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.",
   "false_positives": [
     "This rule does not indicate that a SQL injection attack occurred, only that the `sqlmap` tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity."
@@ -7,6 +10,7 @@
     "apm-*-transaction*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Web Application Suspicious Activity: sqlmap User Agent",
   "query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"",
   "references": [
@@ -20,5 +24,5 @@
     "Elastic"
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_cloudtrail_logging_created.json

@@ -0,0 +1,48 @@
+{
+  "author": [
+    "Elastic"
+  ],
+  "description": "Identifies the creation of an AWS log trail that specifies the settings for delivery of log data.",
+  "false_positives": [
+    "Trail creations may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+  ],
+  "from": "now-60m",
+  "index": [
+    "filebeat-*"
+  ],
+  "interval": "10m",
+  "language": "kuery",
+  "license": "Elastic License",
+  "name": "AWS CloudTrail Log Created",
+  "query": "event.action:CreateTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
+  "references": [
+    "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateTrail.html",
+    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html"
+  ],
+  "risk_score": 21,
+  "rule_id": "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed",
+  "severity": "low",
+  "tags": [
+    "AWS",
+    "Elastic"
+  ],
+  "threat": [
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0009",
+        "name": "Collection",
+        "reference": "https://attack.mitre.org/tactics/TA0009/"
+      },
+      "technique": [
+        {
+          "id": "T1530",
+          "name": "Data from Cloud Storage Object",
+          "reference": "https://attack.mitre.org/techniques/T1530/"
+        }
+      ]
+    }
+  ],
+  "type": "query",
+  "version": 1
+}

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_certutil_network_connection.json

@@ -1,11 +1,15 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.",
   "index": [
     "winlogbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Network Connection via Certutil",
-  "query": "process.name:certutil.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+  "query": "event.category:network and event.type:connection and process.name:certutil.exe and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
   "risk_score": 21,
   "rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8",
   "severity": "low",
@@ -31,5 +35,5 @@
     }
   ],
   "type": "query",
-  "version": 1
+  "version": 2
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_dns_directly_to_the_internet.json

@@ -1,14 +1,19 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "This rule detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior for a managed network, and can be indicative of malware, exfiltration, command and control, or, simply, misconfiguration. This DNS activity also impacts your organization's ability to provide enterprise monitoring and logging of DNS, and opens your network to a variety of abuses and malicious communications.",
   "false_positives": [
     "Exclude DNS servers from this rule as this is expected behavior. Endpoints usually query local DNS servers defined in their DHCP scopes, but this may be overridden if a user configures their endpoint to use a remote DNS server. This is uncommon in managed enterprise networks because it could break intranet name resolution when split horizon DNS is utilized. Some consumer VPN services and browser plug-ins may send DNS traffic to remote Internet destinations. In that case, such devices or networks can be excluded from this rule when this is expected behavior."
   ],
   "index": [
-    "filebeat-*"
+    "filebeat-*",
+    "packetbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "DNS Activity to the Internet",
-  "query": "destination.port:53 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 169.254.169.254/32 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.251 or 224.0.0.252 or 255.255.255.255 or \"::1\" or \"ff02::fb\")",
+  "query": "event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 169.254.169.254/32 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.251 or 224.0.0.252 or 255.255.255.255 or \"::1\" or \"ff02::fb\")",
   "references": [
     "https://www.us-cert.gov/ncas/alerts/TA15-240A",
     "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf"
@@ -38,5 +43,5 @@
     }
   ],
   "type": "query",
-  "version": 3
+  "version": 4
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.json

@@ -1,14 +1,19 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "This rule detects events that may indicate the use of FTP network connections to the Internet. The File Transfer Protocol (FTP) has been around in its current form since the 1980s. It can be a common and efficient procedure on your network to send and receive files. Because of this, adversaries will also often use this protocol to exfiltrate data from your network or download new tools. Additionally, FTP is a plain-text protocol which, if intercepted, may expose usernames and passwords. FTP activity involving servers subject to regulations or compliance standards may be unauthorized.",
   "false_positives": [
     "FTP servers should be excluded from this rule as this is expected behavior. Some business workflows may use FTP for data exchange. These workflows often have expected characteristics such as users, sources, and destinations. FTP activity involving an unusual source or destination may be more suspicious. FTP activity involving a production server that has no known associated FTP workflow or business requirement is often suspicious."
   ],
   "index": [
-    "filebeat-*"
+    "filebeat-*",
+    "packetbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "FTP (File Transfer Protocol) Activity to the Internet",
-  "query": "network.transport:tcp and destination.port:(20 or 21) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+  "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(20 or 21) or event.dataset:zeek.ftp) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
   "risk_score": 21,
   "rule_id": "87ec6396-9ac4-4706-bcf0-2ebb22002f43",
   "severity": "low",
@@ -49,5 +54,5 @@
     }
   ],
   "type": "query",
-  "version": 3
+  "version": 4
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.json

@@ -1,14 +1,19 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "This rule detects events that use common ports for Internet Relay Chat (IRC) to the Internet. IRC is a common protocol that can be used for chat and file transfers. This protocol is also a good candidate for remote control of malware and data transfers to and from a network.",
   "false_positives": [
     "IRC activity may be normal behavior for developers and engineers but is unusual for non-engineering end users. IRC activity involving an unusual source or destination may be more suspicious. IRC activity involving a production server is often suspicious. Because these ports are in the ephemeral range, this rule may false under certain conditions, such as when a NAT-ed web server replies to a client which has used a port in the range by coincidence. In this case, these servers can be excluded. Some legacy applications may use these ports, but this is very uncommon and usually only appears in local traffic using private IPs, which does not match this rule's conditions."
   ],
   "index": [
-    "filebeat-*"
+    "filebeat-*",
+    "packetbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "IRC (Internet Relay Chat) Protocol Activity to the Internet",
-  "query": "network.transport:tcp and destination.port:(6667 or 6697) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+  "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(6667 or 6697) or event.dataset:zeek.irc) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
   "risk_score": 47,
   "rule_id": "c6474c34-4953-447a-903e-9fcb7b6661aa",
   "severity": "medium",
@@ -49,5 +54,5 @@
     }
   ],
   "type": "query",
-  "version": 3
+  "version": 4
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_nat_traversal_port_activity.json

@@ -1,14 +1,19 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "This rule detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal enables these tunnels to communicate over the Internet where one of the sides is behind a NAT router gateway. This may be common on your network, but this technique is also used by threat actors to avoid detection.",
   "false_positives": [
     "Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded."
   ],
   "index": [
-    "filebeat-*"
+    "filebeat-*",
+    "packetbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "IPSEC NAT Traversal Port Activity",
-  "query": "network.transport:udp and destination.port:4500",
+  "query": "event.category:(network or network_traffic) and network.transport:udp and destination.port:4500",
   "risk_score": 21,
   "rule_id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7",
   "severity": "low",
@@ -34,5 +39,5 @@
     }
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_port_26_activity.json

@@ -1,14 +1,19 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems.",
   "false_positives": [
     "Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior."
   ],
   "index": [
-    "filebeat-*"
+    "filebeat-*",
+    "packetbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "SMTP on Port 26/TCP",
-  "query": "network.transport:tcp and destination.port:26",
+  "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:26 or (event.dataset:zeek.smtp and destination.port:26))",
   "references": [
     "https://unit42.paloaltonetworks.com/unit42-badpatch/",
     "https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/"
@@ -53,5 +58,5 @@
     }
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_port_8000_activity_to_the_internet.json

@@ -1,14 +1,19 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "TCP Port 8000 is commonly used for development environments of web server software. It generally should not be exposed directly to the Internet. If you are running software like this on the Internet, you should consider placing it behind a reverse proxy.",
   "false_positives": [
     "Because this port is in the ephemeral range, this rule may false under certain conditions, such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded. Some applications may use this port but this is very uncommon and usually appears in local traffic using private IPs, which this rule does not match. Some cloud environments, particularly development environments, may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet."
   ],
   "index": [
-    "filebeat-*"
+    "filebeat-*",
+    "packetbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "TCP Port 8000 Activity to the Internet",
-  "query": "network.transport:tcp and destination.port:8000 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+  "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:8000 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
   "risk_score": 21,
   "rule_id": "08d5d7e2-740f-44d8-aeda-e41f4263efaf",
   "severity": "low",
@@ -34,5 +39,5 @@
     }
   ],
   "type": "query",
-  "version": 3
+  "version": 4
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_pptp_point_to_point_tunneling_protocol_activity.json

@@ -1,14 +1,19 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "This rule detects events that may indicate use of a PPTP VPN connection. Some threat actors use these types of connections to tunnel their traffic while avoiding detection.",
   "false_positives": [
     "Some networks may utilize PPTP protocols but this is uncommon as more modern VPN technologies are available. Usage that is unfamiliar to local network administrators can be unexpected and suspicious. Torrenting applications may use this port. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server replies to a client that used this port by coincidence. This is uncommon but such servers can be excluded."
   ],
   "index": [
-    "filebeat-*"
+    "filebeat-*",
+    "packetbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "PPTP (Point to Point Tunneling Protocol) Activity",
-  "query": "network.transport:tcp and destination.port:1723",
+  "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:1723",
   "risk_score": 21,
   "rule_id": "d2053495-8fe7-4168-b3df-dad844046be3",
   "severity": "low",
@@ -34,5 +39,5 @@
     }
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_proxy_port_activity_to_the_internet.json

@@ -1,14 +1,19 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "This rule detects events that may describe network events of proxy use to the Internet. It includes popular HTTP proxy ports and SOCKS proxy ports. Typically, environments will use an internal IP address for a proxy server. It can also be used to circumvent network controls and detection mechanisms.",
   "false_positives": [
-    "Some proxied applications may use these ports but this usually occurs in local traffic using private IPs which this rule does not match. Proxies are widely used as a security technology but in enterprise environments this is usually local traffic which this rule does not match. Internet proxy services using these ports can be white-listed if desired. Some screen recording applications may use these ports. Proxy port activity involving an unusual source or destination may be more suspicious. Some cloud environments may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired."
+    "Some proxied applications may use these ports but this usually occurs in local traffic using private IPs which this rule does not match. Proxies are widely used as a security technology but in enterprise environments this is usually local traffic which this rule does not match. If desired, internet proxy services using these ports can be added to allowlists. Some screen recording applications may use these ports. Proxy port activity involving an unusual source or destination may be more suspicious. Some cloud environments may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired."
   ],
   "index": [
-    "filebeat-*"
+    "filebeat-*",
+    "packetbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Proxy Port Activity to the Internet",
-  "query": "network.transport:tcp and destination.port:(1080 or 3128 or 8080) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+  "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(1080 or 3128 or 8080) or event.dataset:zeek.socks) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
   "risk_score": 47,
   "rule_id": "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3",
   "severity": "medium",
@@ -34,5 +39,5 @@
     }
   ],
   "type": "query",
-  "version": 3
+  "version": 4
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_rdp_remote_desktop_protocol_from_the_internet.json

@@ -1,14 +1,19 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.",
   "false_positives": [
     "Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected."
   ],
   "index": [
-    "filebeat-*"
+    "filebeat-*",
+    "packetbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "RDP (Remote Desktop Protocol) from the Internet",
-  "query": "network.transport:tcp and destination.port:3389 and not source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+  "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and not source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
   "risk_score": 47,
   "rule_id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488",
   "severity": "medium",
@@ -64,5 +69,5 @@
     }
   ],
   "type": "query",
-  "version": 3
+  "version": 4
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_smtp_to_the_internet.json

@@ -1,14 +1,19 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "This rule detects events that may describe SMTP traffic from internal hosts to a host across the Internet. In an enterprise network, there is typically a dedicated internal host that performs this function. It is also frequently abused by threat actors for command and control, or data exfiltration.",
   "false_positives": [
     "NATed servers that process email traffic may false and should be excluded from this rule as this is expected behavior for them. Consumer and personal devices may send email traffic to remote Internet destinations. In this case, such devices or networks can be excluded from this rule if this is expected behavior."
   ],
   "index": [
-    "filebeat-*"
+    "filebeat-*",
+    "packetbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "SMTP to the Internet",
-  "query": "network.transport:tcp and destination.port:(25 or 465 or 587) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+  "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(25 or 465 or 587) or event.dataset:zeek.smtp) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
   "risk_score": 21,
   "rule_id": "67a9beba-830d-4035-bfe8-40b7e28f8ac4",
   "severity": "low",
@@ -49,5 +54,5 @@
     }
   ],
   "type": "query",
-  "version": 3
+  "version": 4
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_sql_server_port_activity_to_the_internet.json

@@ -1,14 +1,19 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "This rule detects events that may describe database traffic (MS SQL, Oracle, MySQL, and Postgresql) across the Internet. Databases should almost never be directly exposed to the Internet, as they are frequently targeted by threat actors to gain initial access to network resources.",
   "false_positives": [
     "Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired. Some cloud environments may use this port when VPNs or direct connects are not in use and database instances are accessed directly across the Internet."
   ],
   "index": [
-    "filebeat-*"
+    "filebeat-*",
+    "packetbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "SQL Traffic to the Internet",
-  "query": "network.transport:tcp and destination.port:(1433 or 1521 or 3336 or 5432) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+  "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(1433 or 1521 or 3306 or 5432) or event.dataset:zeek.mysql) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
   "risk_score": 47,
   "rule_id": "139c7458-566a-410c-a5cd-f80238d6a5cd",
   "severity": "medium",
@@ -34,5 +39,5 @@
     }
   ],
   "type": "query",
-  "version": 3
+  "version": 4
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ssh_secure_shell_from_the_internet.json

@@ -1,14 +1,19 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "This rule detects network events that may indicate the use of SSH traffic from the Internet. SSH is commonly used by system administrators to remotely control a system using the command line shell. If it is exposed to the Internet, it should be done with strong security controls as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.",
   "false_positives": [
     "Some network security policies allow SSH directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. SSH services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only SSH gateways, bastions or jump servers may be expected expose SSH directly to the Internet and can be exempted from this rule. SSH may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected."
   ],
   "index": [
-    "filebeat-*"
+    "filebeat-*",
+    "packetbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "SSH (Secure Shell) from the Internet",
-  "query": "network.transport:tcp and destination.port:22 and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+  "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:22 or event.dataset:zeek.ssh) and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
   "risk_score": 47,
   "rule_id": "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17",
   "severity": "medium",
@@ -64,5 +69,5 @@
     }
   ],
   "type": "query",
-  "version": 3
+  "version": 4
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ssh_secure_shell_to_the_internet.json

@@ -1,14 +1,19 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "This rule detects network events that may indicate the use of SSH traffic from the Internet. SSH is commonly used by system administrators to remotely control a system using the command line shell. If it is exposed to the Internet, it should be done with strong security controls as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.",
   "false_positives": [
     "SSH connections may be made directly to Internet destinations in order to access Linux cloud server instances but such connections are usually made only by engineers. In such cases, only SSH gateways, bastions or jump servers may be expected Internet destinations and can be exempted from this rule. SSH may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
   ],
   "index": [
-    "filebeat-*"
+    "filebeat-*",
+    "packetbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "SSH (Secure Shell) to the Internet",
-  "query": "network.transport:tcp and destination.port:22 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+  "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:22 or event.dataset:zeek.ssh) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
   "risk_score": 21,
   "rule_id": "6f1500bc-62d7-4eb9-8601-7485e87da2f4",
   "severity": "low",
@@ -34,5 +39,5 @@
     }
   ],
   "type": "query",
-  "version": 3
+  "version": 4
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_telnet_port_activity.json

@@ -1,14 +1,19 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embed ed systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic.",
   "false_positives": [
     "IoT (Internet of Things) devices and networks may use telnet and can be excluded if desired. Some business work-flows may use Telnet for administration of older devices. These often have a predictable behavior. Telnet activity involving an unusual source or destination may be more suspicious. Telnet activity involving a production server that has no known associated Telnet work-flow or business requirement is often suspicious."
   ],
   "index": [
-    "filebeat-*"
+    "filebeat-*",
+    "packetbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Telnet Port Activity",
-  "query": "network.transport:tcp and destination.port:23",
+  "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:23",
   "risk_score": 47,
   "rule_id": "34fde489-94b0-4500-a76f-b8a157cf9269",
   "severity": "medium",
@@ -64,5 +69,5 @@
     }
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_tor_activity_to_the_internet.json

@@ -1,14 +1,19 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "This rule detects network events that may indicate the use of Tor traffic to the Internet. Tor is a network protocol that sends traffic through a series of encrypted tunnels used to conceal a user's location and usage. Tor may be used by threat actors as an alternate communication pathway to conceal the actor's identity and avoid detection.",
   "false_positives": [
     "Tor client activity is uncommon in managed enterprise networks but may be common in unmanaged or public networks where few security policies apply. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used one of these ports by coincidence. In this case, such servers can be excluded if desired."
   ],
   "index": [
-    "filebeat-*"
+    "filebeat-*",
+    "packetbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Tor Activity to the Internet",
-  "query": "network.transport:tcp and destination.port:(9001 or 9030) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+  "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:(9001 or 9030) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
   "risk_score": 47,
   "rule_id": "7d2c38d7-ede7-4bdf-b140-445906e6c540",
   "severity": "medium",
@@ -49,5 +54,5 @@
     }
   ],
   "type": "query",
-  "version": 3
+  "version": 4
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_vnc_virtual_network_computing_from_the_internet.json

@@ -1,14 +1,19 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.",
   "false_positives": [
     "VNC connections may be received directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
   ],
   "index": [
-    "filebeat-*"
+    "filebeat-*",
+    "packetbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "VNC (Virtual Network Computing) from the Internet",
-  "query": "network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+  "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
   "risk_score": 73,
   "rule_id": "5700cb81-df44-46aa-a5d7-337798f53eb8",
   "severity": "high",
@@ -49,5 +54,5 @@
     }
   ],
   "type": "query",
-  "version": 3
+  "version": 4
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_vnc_virtual_network_computing_to_the_internet.json

@@ -1,14 +1,19 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.",
   "false_positives": [
     "VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
   ],
   "index": [
-    "filebeat-*"
+    "filebeat-*",
+    "packetbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "VNC (Virtual Network Computing) to the Internet",
-  "query": "network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+  "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
   "risk_score": 47,
   "rule_id": "3ad49c61-7adc-42c1-b788-732eda2f5abf",
   "severity": "medium",
@@ -34,5 +39,5 @@
     }
   ],
   "type": "query",
-  "version": 3
+  "version": 4
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_attempted_bypass_of_okta_mfa.json

@@ -0,0 +1,43 @@
+{
+  "author": [
+    "Elastic"
+  ],
+  "description": "An adversary may attempt to bypass the Okta multi-factor authentication (MFA) policies configured for an organization in order to obtain unauthorized access to an application. This rule detects when an Okta MFA bypass attempt occurs.",
+  "index": [
+    "filebeat-*"
+  ],
+  "language": "kuery",
+  "license": "Elastic License",
+  "name": "Attempted Bypass of Okta MFA",
+  "query": "event.module:okta and event.dataset:okta.system and event.action:user.mfa.attempt_bypass",
+  "references": [
+    "https://developer.okta.com/docs/reference/api/system-log/",
+    "https://developer.okta.com/docs/reference/api/event-types/"
+  ],
+  "risk_score": 73,
+  "rule_id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0",
+  "severity": "high",
+  "tags": [
+    "Elastic",
+    "Okta"
+  ],
+  "threat": [
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0006",
+        "name": "Credential Access",
+        "reference": "https://attack.mitre.org/tactics/TA0006/"
+      },
+      "technique": [
+        {
+          "id": "T1111",
+          "name": "Two-Factor Authentication Interception",
+          "reference": "https://attack.mitre.org/techniques/T1111/"
+        }
+      ]
+    }
+  ],
+  "type": "query",
+  "version": 1
+}

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_credential_dumping_msbuild.json

@@ -1,4 +1,7 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping.",
   "false_positives": [
     "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
@@ -7,8 +10,9 @@
     "winlogbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Microsoft Build Engine Loading Windows Credential Libraries",
-  "query": "(winlog.event_data.OriginalFileName: (vaultcli.dll or SAMLib.DLL) or dll.name: (vaultcli.dll or SAMLib.DLL)) and process.name: MSBuild.exe and event.action: \"Image loaded (rule: ImageLoad)\"",
+  "query": "event.category:process and event.type:change and (winlog.event_data.OriginalFileName:(vaultcli.dll or SAMLib.DLL) or dll.name:(vaultcli.dll or SAMLib.DLL)) and process.name: MSBuild.exe",
   "risk_score": 73,
   "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5",
   "severity": "high",
@@ -34,5 +38,5 @@
     }
   ],
   "type": "query",
-  "version": 1
+  "version": 2
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_iam_user_addition_to_group.json

@@ -0,0 +1,62 @@
+{
+  "author": [
+    "Elastic"
+  ],
+  "description": "Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM).",
+  "false_positives": [
+    "Adding users to a specified group may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. User additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+  ],
+  "from": "now-60m",
+  "index": [
+    "filebeat-*"
+  ],
+  "interval": "10m",
+  "language": "kuery",
+  "license": "Elastic License",
+  "name": "AWS IAM User Addition to Group",
+  "query": "event.action:AddUserToGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success",
+  "references": [
+    "https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html"
+  ],
+  "risk_score": 21,
+  "rule_id": "333de828-8190-4cf5-8d7c-7575846f6fe0",
+  "severity": "low",
+  "tags": [
+    "AWS",
+    "Elastic"
+  ],
+  "threat": [
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0006",
+        "name": "Credential Access",
+        "reference": "https://attack.mitre.org/tactics/TA0006/"
+      },
+      "technique": [
+        {
+          "id": "T1098",
+          "name": "Account Manipulation",
+          "reference": "https://attack.mitre.org/techniques/T1098/"
+        }
+      ]
+    },
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0003",
+        "name": "Persistence",
+        "reference": "https://attack.mitre.org/tactics/TA0003/"
+      },
+      "technique": [
+        {
+          "id": "T1098",
+          "name": "Account Manipulation",
+          "reference": "https://attack.mitre.org/techniques/T1098/"
+        }
+      ]
+    }
+  ],
+  "type": "query",
+  "version": 1
+}

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_secretsmanager_getsecretvalue.json

@@ -0,0 +1,49 @@
+{
+  "author": [
+    "Nick Jones",
+    "Elastic"
+  ],
+  "description": "An adversary may attempt to access the secrets in secrets manager to steal certificates, credentials, or other sensitive material",
+  "false_positives": [
+    "Verify whether the user identity, user agent, and/or hostname should be using GetSecretString API for the specified SecretId. If known behavior is causing false positives, it can be exempted from the rule."
+  ],
+  "from": "now-60m",
+  "index": [
+    "filebeat-*"
+  ],
+  "interval": "10m",
+  "language": "kuery",
+  "license": "Elastic License",
+  "name": "AWS Access Secret in Secrets Manager",
+  "query": "event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and event.action:GetSecretValue",
+  "references": [
+    "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html",
+    "http://detectioninthe.cloud/credential_access/access_secret_in_secrets_manager/"
+  ],
+  "risk_score": 21,
+  "rule_id": "a00681e3-9ed6-447c-ab2c-be648821c622",
+  "severity": "low",
+  "tags": [
+    "AWS",
+    "Elastic"
+  ],
+  "threat": [
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0006",
+        "name": "Credential Access",
+        "reference": "https://attack.mitre.org/tactics/TA0006/"
+      },
+      "technique": [
+        {
+          "id": "T1528",
+          "name": "Steal Application Access Token",
+          "reference": "https://attack.mitre.org/techniques/T1528/"
+        }
+      ]
+    }
+  ],
+  "type": "query",
+  "version": 1
+}

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_tcpdump_activity.json

@@ -1,4 +1,7 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "The Tcpdump program ran on a Linux host. Tcpdump is a network monitoring or packet sniffing tool that can be used to capture insecure credentials or data in motion. Sniffing can also be used to discover details of network services as a prelude to lateral movement or defense evasion.",
   "false_positives": [
     "Some normal use of this command may originate from server or network administrators engaged in network troubleshooting."
@@ -7,8 +10,9 @@
     "auditbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Network Sniffing via Tcpdump",
-  "query": "process.name:tcpdump and event.action:executed",
+  "query": "event.category:process and event.type:(start or process_started) and process.name:tcpdump",
   "risk_score": 21,
   "rule_id": "7a137d76-ce3d-48e2-947d-2747796a78c0",
   "severity": "low",
@@ -49,5 +53,5 @@
     }
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.json

@@ -1,11 +1,15 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.",
   "index": [
     "winlogbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Adding Hidden File Attribute via Attrib",
-  "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:attrib.exe and process.args:+h",
+  "query": "event.category:process and event.type:(start or process_started) and process.name:attrib.exe and process.args:+h",
   "risk_score": 21,
   "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db",
   "severity": "low",
@@ -46,5 +50,5 @@
     }
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_attempt_to_disable_iptables_or_firewall.json

@@ -1,11 +1,15 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic.",
   "index": [
     "auditbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Attempt to Disable IPTables or Firewall",
-  "query": "event.action:(executed or process_started) and (process.name:service and process.args:stop or process.name:chkconfig and process.args:off) and process.args:(ip6tables or iptables) or process.name:systemctl and process.args:(firewalld and (disable or stop or kill))",
+  "query": "event.category:process and event.type:(start or process_started) and process.name:ufw and process.args:(allow or disable or reset) or  (((process.name:service and process.args:stop) or (process.name:chkconfig and process.args:off) or (process.name:systemctl and process.args:(disable or stop or kill))) and process.args:(firewalld or ip6tables or iptables))",
   "risk_score": 47,
   "rule_id": "125417b8-d3df-479f-8418-12d7e034fee3",
   "severity": "medium",
@@ -31,5 +35,5 @@
     }
   ],
   "type": "query",
-  "version": 1
+  "version": 2
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_attempt_to_disable_syslog_service.json

@@ -1,11 +1,15 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls.",
   "index": [
     "auditbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Attempt to Disable Syslog Service",
-  "query": "event.action:(executed or process_started) and ((process.name:service and process.args:stop) or (process.name:chkconfig and process.args:off) or (process.name:systemctl and process.args:(disable or stop or kill))) and process.args:(syslog or rsyslog or \"syslog-ng\")",
+  "query": "event.category:process and event.type:(start or process_started) and ((process.name:service and process.args:stop) or (process.name:chkconfig and process.args:off) or (process.name:systemctl and process.args:(disable or stop or kill))) and process.args:(syslog or rsyslog or \"syslog-ng\")",
   "risk_score": 47,
   "rule_id": "2f8a1226-5720-437d-9c20-e0029deb6194",
   "severity": "medium",
@@ -31,5 +35,5 @@
     }
   ],
   "type": "query",
-  "version": 1
+  "version": 2
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_base16_or_base32_encoding_or_decoding_activity.json

@@ -1,4 +1,7 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.",
   "false_positives": [
     "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values."
@@ -7,8 +10,9 @@
     "auditbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Base16 or Base32 Encoding/Decoding Activity",
-  "query": "event.action:(executed or process_started) and process.name:(base16 or base32 or base32plain or base32hex)",
+  "query": "event.category:process and event.type:(start or process_started) and process.name:(base16 or base32 or base32plain or base32hex)",
   "risk_score": 21,
   "rule_id": "debff20a-46bc-4a4d-bae5-5cdd14222795",
   "severity": "low",
@@ -49,5 +53,5 @@
     }
   ],
   "type": "query",
-  "version": 1
+  "version": 2
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_base64_encoding_or_decoding_activity.json

@@ -1,4 +1,7 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.",
   "false_positives": [
     "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values."
@@ -7,8 +10,9 @@
     "auditbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Base64 Encoding/Decoding Activity",
-  "query": "event.action:(executed or process_started) and process.name:(base64 or base64plain or base64url or base64mime or base64pem)",
+  "query": "event.category:process and event.type:(start or process_started) and process.name:(base64 or base64plain or base64url or base64mime or base64pem)",
   "risk_score": 21,
   "rule_id": "97f22dab-84e8-409d-955e-dacd1d31670b",
   "severity": "low",
@@ -49,5 +53,5 @@
     }
   ],
   "type": "query",
-  "version": 1
+  "version": 2
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_clearing_windows_event_logs.json

@@ -1,11 +1,15 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.",
   "index": [
     "winlogbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Clearing Windows Event Logs",
-  "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:wevtutil.exe and process.args:cl or process.name:powershell.exe and process.args:Clear-EventLog",
+  "query": "event.category:process and event.type:(start or process_started) and process.name:wevtutil.exe and process.args:cl or process.name:powershell.exe and process.args:Clear-EventLog",
   "risk_score": 21,
   "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61",
   "severity": "low",
@@ -31,5 +35,5 @@
     }
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudtrail_logging_deleted.json

@@ -0,0 +1,48 @@
+{
+  "author": [
+    "Elastic"
+  ],
+  "description": "Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses.",
+  "false_positives": [
+    "Trail deletions may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+  ],
+  "from": "now-60m",
+  "index": [
+    "filebeat-*"
+  ],
+  "interval": "10m",
+  "language": "kuery",
+  "license": "Elastic License",
+  "name": "AWS CloudTrail Log Deleted",
+  "query": "event.action:DeleteTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
+  "references": [
+    "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DeleteTrail.html",
+    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/delete-trail.html"
+  ],
+  "risk_score": 47,
+  "rule_id": "7024e2a0-315d-4334-bb1a-441c593e16ab",
+  "severity": "medium",
+  "tags": [
+    "AWS",
+    "Elastic"
+  ],
+  "threat": [
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0005",
+        "name": "Defense Evasion",
+        "reference": "https://attack.mitre.org/tactics/TA0005/"
+      },
+      "technique": [
+        {
+          "id": "T1089",
+          "name": "Disabling Security Tools",
+          "reference": "https://attack.mitre.org/techniques/T1089/"
+        }
+      ]
+    }
+  ],
+  "type": "query",
+  "version": 1
+}

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudtrail_logging_suspended.json

@@ -0,0 +1,48 @@
+{
+  "author": [
+    "Elastic"
+  ],
+  "description": "Identifies suspending the recording of AWS API calls and log file delivery for the specified trail. An adversary may suspend trails in an attempt to evade defenses.",
+  "false_positives": [
+    "Suspending the recording of a trail may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail suspensions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+  ],
+  "from": "now-60m",
+  "index": [
+    "filebeat-*"
+  ],
+  "interval": "10m",
+  "language": "kuery",
+  "license": "Elastic License",
+  "name": "AWS CloudTrail Log Suspended",
+  "query": "event.action:StopLogging and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
+  "references": [
+    "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StopLogging.html",
+    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/stop-logging.html"
+  ],
+  "risk_score": 47,
+  "rule_id": "1aa8fa52-44a7-4dae-b058-f3333b91c8d7",
+  "severity": "medium",
+  "tags": [
+    "AWS",
+    "Elastic"
+  ],
+  "threat": [
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0005",
+        "name": "Defense Evasion",
+        "reference": "https://attack.mitre.org/tactics/TA0005/"
+      },
+      "technique": [
+        {
+          "id": "T1089",
+          "name": "Disabling Security Tools",
+          "reference": "https://attack.mitre.org/techniques/T1089/"
+        }
+      ]
+    }
+  ],
+  "type": "query",
+  "version": 1
+}

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudwatch_alarm_deletion.json

@@ -0,0 +1,48 @@
+{
+  "author": [
+    "Elastic"
+  ],
+  "description": "Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.",
+  "false_positives": [
+    "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Alarm deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+  ],
+  "from": "now-60m",
+  "index": [
+    "filebeat-*"
+  ],
+  "interval": "10m",
+  "language": "kuery",
+  "license": "Elastic License",
+  "name": "AWS CloudWatch Alarm Deletion",
+  "query": "event.action:DeleteAlarms and event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.outcome:success",
+  "references": [
+    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudwatch/delete-alarms.html",
+    "https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DeleteAlarms.html"
+  ],
+  "risk_score": 47,
+  "rule_id": "f772ec8a-e182-483c-91d2-72058f76a44c",
+  "severity": "medium",
+  "tags": [
+    "AWS",
+    "Elastic"
+  ],
+  "threat": [
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0005",
+        "name": "Defense Evasion",
+        "reference": "https://attack.mitre.org/tactics/TA0005/"
+      },
+      "technique": [
+        {
+          "id": "T1089",
+          "name": "Disabling Security Tools",
+          "reference": "https://attack.mitre.org/techniques/T1089/"
+        }
+      ]
+    }
+  ],
+  "type": "query",
+  "version": 1
+}

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_config_service_rule_deletion.json

@@ -0,0 +1,48 @@
+{
+  "author": [
+    "Elastic"
+  ],
+  "description": "Identifies attempts to delete an AWS Config Service rule. An adversary may tamper with Config rules in order to reduce visibiltiy into the security posture of an account and / or its workload instances.",
+  "false_positives": [
+    "Privileged IAM users with security responsibilities may be expected to make changes to the Config rules in order to align with local security policies and requirements. Automation, orchestration, and security tools may also make changes to the Config service, where they are used to automate setup or configuration of AWS accounts. Other kinds of user or service contexts do not commonly make changes to this service."
+  ],
+  "from": "now-60m",
+  "index": [
+    "filebeat-*"
+  ],
+  "interval": "10m",
+  "language": "kuery",
+  "license": "Elastic License",
+  "name": "AWS Config Service Tampering",
+  "query": "event.dataset: aws.cloudtrail and event.action: DeleteConfigRule and event.provider: config.amazonaws.com",
+  "references": [
+    "https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html",
+    "https://docs.aws.amazon.com/config/latest/APIReference/API_Operations.html"
+  ],
+  "risk_score": 47,
+  "rule_id": "7024e2a0-315d-4334-bb1a-552d604f27bc",
+  "severity": "medium",
+  "tags": [
+    "AWS",
+    "Elastic"
+  ],
+  "threat": [
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0005",
+        "name": "Defense Evasion",
+        "reference": "https://attack.mitre.org/tactics/TA0005/"
+      },
+      "technique": [
+        {
+          "id": "T1089",
+          "name": "Disabling Security Tools",
+          "reference": "https://attack.mitre.org/techniques/T1089/"
+        }
+      ]
+    }
+  ],
+  "type": "query",
+  "version": 1
+}

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_configuration_recorder_stopped.json

@@ -0,0 +1,48 @@
+{
+  "author": [
+    "Elastic"
+  ],
+  "description": "Identifies an AWS configuration change to stop recording a designated set of resources.",
+  "false_positives": [
+    "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Recording changes from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+  ],
+  "from": "now-60m",
+  "index": [
+    "filebeat-*"
+  ],
+  "interval": "10m",
+  "language": "kuery",
+  "license": "Elastic License",
+  "name": "AWS Configuration Recorder Stopped",
+  "query": "event.action:StopConfigurationRecorder and event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.outcome:success",
+  "references": [
+    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/stop-configuration-recorder.html",
+    "https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html"
+  ],
+  "risk_score": 73,
+  "rule_id": "fbd44836-0d69-4004-a0b4-03c20370c435",
+  "severity": "high",
+  "tags": [
+    "AWS",
+    "Elastic"
+  ],
+  "threat": [
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0005",
+        "name": "Defense Evasion",
+        "reference": "https://attack.mitre.org/tactics/TA0005/"
+      },
+      "technique": [
+        {
+          "id": "T1089",
+          "name": "Disabling Security Tools",
+          "reference": "https://attack.mitre.org/techniques/T1089/"
+        }
+      ]
+    }
+  ],
+  "type": "query",
+  "version": 1
+}

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cve_2020_0601.json

@@ -1,9 +1,13 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.",
   "index": [
     "winlogbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)",
   "query": "event.provider:\"Microsoft-Windows-Audit-CVE\" and message:\"[CVE-2020-0601]\"",
   "risk_score": 21,
@@ -31,5 +35,5 @@
     }
   ],
   "type": "query",
-  "version": 1
+  "version": 2
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_delete_volume_usn_journal_with_fsutil.json

@@ -1,11 +1,15 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.",
   "index": [
     "winlogbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Delete Volume USN Journal with Fsutil",
-  "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:fsutil.exe and process.args:(deletejournal and usn)",
+  "query": "event.category:process and event.type:(start or process_started) and process.name:fsutil.exe and process.args:(deletejournal and usn)",
   "risk_score": 21,
   "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92",
   "severity": "low",
@@ -31,5 +35,5 @@
     }
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_deleting_backup_catalogs_with_wbadmin.json

@@ -1,11 +1,15 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.",
   "index": [
     "winlogbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Deleting Backup Catalogs with Wbadmin",
-  "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:wbadmin.exe and process.args:(catalog and delete)",
+  "query": "event.category:process and event.type:(start or process_started) and process.name:wbadmin.exe and process.args:(catalog and delete)",
   "risk_score": 21,
   "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59",
   "severity": "low",
@@ -31,5 +35,5 @@
     }
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_deletion_of_bash_command_line_history.json

@@ -0,0 +1,39 @@
+{
+  "author": [
+    "Elastic"
+  ],
+  "description": "Adversaries may attempt to clear the bash command line history in an attempt to evade detection or forensic investigations.",
+  "index": [
+    "auditbeat-*"
+  ],
+  "language": "lucene",
+  "license": "Elastic License",
+  "name": "Deletion of Bash Command Line History",
+  "query": "event.category:process AND event.type:(start or process_started) AND process.name:rm AND process.args:/\\/(home\\/.{1,255}|root)\\/\\.bash_history/",
+  "risk_score": 47,
+  "rule_id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba",
+  "severity": "medium",
+  "tags": [
+    "Elastic",
+    "Linux"
+  ],
+  "threat": [
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0005",
+        "name": "Defense Evasion",
+        "reference": "https://attack.mitre.org/tactics/TA0005/"
+      },
+      "technique": [
+        {
+          "id": "T1146",
+          "name": "Clear Command History",
+          "reference": "https://attack.mitre.org/techniques/T1146/"
+        }
+      ]
+    }
+  ],
+  "type": "query",
+  "version": 1
+}

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_disable_selinux_attempt.json

@@ -1,11 +1,15 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities.",
   "index": [
     "auditbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Potential Disabling of SELinux",
-  "query": "event.action:executed and process.name:setenforce and process.args:0",
+  "query": "event.category:process and event.type:(start or process_started) and process.name:setenforce and process.args:0",
   "risk_score": 47,
   "rule_id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e",
   "severity": "medium",
@@ -31,5 +35,5 @@
     }
   ],
   "type": "query",
-  "version": 1
+  "version": 2
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_disable_windows_firewall_rules_with_netsh.json

@@ -1,11 +1,15 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.",
   "index": [
     "winlogbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Disable Windows Firewall Rules via Netsh",
-  "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:netsh.exe and process.args:(disable and firewall and set) or process.args:(advfirewall and off and state)",
+  "query": "event.category:process and event.type:(start or process_started) and process.name:netsh.exe and process.args:(disable and firewall and set) or process.args:(advfirewall and off and state)",
   "risk_score": 47,
   "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9",
   "severity": "medium",
@@ -31,5 +35,5 @@
     }
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_ec2_flow_log_deletion.json

@@ -0,0 +1,48 @@
+{
+  "author": [
+    "Elastic"
+  ],
+  "description": "Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses.",
+  "false_positives": [
+    "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Flow log deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+  ],
+  "from": "now-60m",
+  "index": [
+    "filebeat-*"
+  ],
+  "interval": "10m",
+  "language": "kuery",
+  "license": "Elastic License",
+  "name": "AWS EC2 Flow Log Deletion",
+  "query": "event.action:DeleteFlowLogs and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+  "references": [
+    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html",
+    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html"
+  ],
+  "risk_score": 73,
+  "rule_id": "9395fd2c-9947-4472-86ef-4aceb2f7e872",
+  "severity": "high",
+  "tags": [
+    "AWS",
+    "Elastic"
+  ],
+  "threat": [
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0005",
+        "name": "Defense Evasion",
+        "reference": "https://attack.mitre.org/tactics/TA0005/"
+      },
+      "technique": [
+        {
+          "id": "T1089",
+          "name": "Disabling Security Tools",
+          "reference": "https://attack.mitre.org/techniques/T1089/"
+        }
+      ]
+    }
+  ],
+  "type": "query",
+  "version": 1
+}

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_ec2_network_acl_deletion.json

@@ -0,0 +1,50 @@
+{
+  "author": [
+    "Elastic"
+  ],
+  "description": "Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries.",
+  "false_positives": [
+    "Network ACL's may be deleted by a network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network ACL deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+  ],
+  "from": "now-60m",
+  "index": [
+    "filebeat-*"
+  ],
+  "interval": "10m",
+  "language": "kuery",
+  "license": "Elastic License",
+  "name": "AWS EC2 Network Access Control List Deletion",
+  "query": "event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+  "references": [
+    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl.html",
+    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html",
+    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl-entry.html",
+    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAclEntry.html"
+  ],
+  "risk_score": 47,
+  "rule_id": "8623535c-1e17-44e1-aa97-7a0699c3037d",
+  "severity": "medium",
+  "tags": [
+    "AWS",
+    "Elastic"
+  ],
+  "threat": [
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0005",
+        "name": "Defense Evasion",
+        "reference": "https://attack.mitre.org/tactics/TA0005/"
+      },
+      "technique": [
+        {
+          "id": "T1089",
+          "name": "Disabling Security Tools",
+          "reference": "https://attack.mitre.org/techniques/T1089/"
+        }
+      ]
+    }
+  ],
+  "type": "query",
+  "version": 1
+}

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_encoding_or_decoding_files_via_certutil.json

@@ -1,11 +1,15 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Identifies the use of certutil.exe to encode or decode data. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to encode or decode base64 data for stealthier command and control or exfiltration.",
   "index": [
     "winlogbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Encoding or Decoding Files via CertUtil",
-  "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:certutil.exe and process.args:(-decode or -encode or /decode or /encode)",
+  "query": "event.category:process and event.type:(start or process_started) and process.name:certutil.exe and process.args:(-decode or -encode or /decode or /encode)",
   "risk_score": 47,
   "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf",
   "severity": "medium",
@@ -31,5 +35,5 @@
     }
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_office_app.json

@@ -1,4 +1,7 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload.",
   "false_positives": [
     "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for this program to be started by an Office application like Word or Excel."
@@ -7,8 +10,9 @@
     "winlogbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Microsoft Build Engine Started by an Office Application",
-  "query": "process.name:MSBuild.exe and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or outlook.exe or powerpnt.exe or winword.exe) and event.action: \"Process Create (rule: ProcessCreate)\"",
+  "query": "event.category:process and event.type:(start or process_started) and process.name:MSBuild.exe and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or outlook.exe or powerpnt.exe or winword.exe)",
   "references": [
     "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"
   ],
@@ -52,5 +56,5 @@
     }
   ],
   "type": "query",
-  "version": 1
+  "version": 2
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_script.json

@@ -1,4 +1,7 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads.",
   "false_positives": [
     "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
@@ -7,8 +10,9 @@
     "winlogbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Microsoft Build Engine Started by a Script Process",
-  "query": "process.name:MSBuild.exe and process.parent.name:(cmd.exe or powershell.exe or cscript.exe or wscript.exe) and event.action:\"Process Create (rule: ProcessCreate)\"",
+  "query": "event.category:process and event.type: start and process.name:MSBuild.exe and process.parent.name:(cmd.exe or powershell.exe or cscript.exe or wscript.exe)",
   "risk_score": 21,
   "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2",
   "severity": "low",
@@ -49,5 +53,5 @@
     }
   ],
   "type": "query",
-  "version": 1
+  "version": 2
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_system_process.json

@@ -1,4 +1,7 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.",
   "false_positives": [
     "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
@@ -7,8 +10,9 @@
     "winlogbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Microsoft Build Engine Started by a System Process",
-  "query": "process.name:MSBuild.exe and process.parent.name:(explorer.exe or wmiprvse.exe) and event.action:\"Process Create (rule: ProcessCreate)\"",
+  "query": "event.category:process and event.type:(start or process_started) and process.name:MSBuild.exe and process.parent.name:(explorer.exe or wmiprvse.exe)",
   "risk_score": 47,
   "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3",
   "severity": "medium",
@@ -49,5 +53,5 @@
     }
   ],
   "type": "query",
-  "version": 1
+  "version": 2
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_renamed.json

@@ -1,4 +1,7 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected.",
   "false_positives": [
     "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
@@ -7,8 +10,9 @@
     "winlogbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Microsoft Build Engine Using an Alternate Name",
-  "query": "(pe.original_file_name:MSBuild.exe or winlog.event_data.OriginalFileName: MSBuild.exe) and not process.name: MSBuild.exe and event.action: \"Process Create (rule: ProcessCreate)\"",
+  "query": "event.category:process and event.type:(start or process_started) and (pe.original_file_name:MSBuild.exe or winlog.event_data.OriginalFileName:MSBuild.exe) and not process.name: MSBuild.exe",
   "risk_score": 21,
   "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4",
   "severity": "low",
@@ -34,5 +38,5 @@
     }
   ],
   "type": "query",
-  "version": 1
+  "version": 2
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_unusal_process.json

@@ -1,4 +1,7 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine.",
   "false_positives": [
     "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user or host name."
@@ -7,8 +10,9 @@
     "winlogbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Microsoft Build Engine Started an Unusual Process",
-  "query": "process.parent.name:MSBuild.exe and process.name:(csc.exe or iexplore.exe or powershell.exe)",
+  "query": "event.category:process and event.type:(start or process_started) and process.parent.name:MSBuild.exe and process.name:(csc.exe or iexplore.exe or powershell.exe)",
   "references": [
     "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"
   ],
@@ -37,5 +41,5 @@
     }
   ],
   "type": "query",
-  "version": 1
+  "version": 2
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_via_trusted_developer_utilities.json

@@ -1,4 +1,7 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Identifies possibly suspicious activity using trusted Windows developer activity.",
   "false_positives": [
     "These programs may be used by Windows developers but use by non-engineers is unusual."
@@ -7,6 +10,7 @@
     "winlogbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Trusted Developer Application Usage",
   "query": "event.code:1 and process.name:(MSBuild.exe or msxsl.exe)",
   "risk_score": 21,
@@ -49,5 +53,5 @@
     }
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_file_deletion_via_shred.json

@@ -1,11 +1,15 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.",
   "index": [
     "auditbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "File Deletion via Shred",
-  "query": "event.action:(executed or process_started) and process.name:shred and process.args:(\"-u\" or \"--remove\" or \"-z\" or \"--zero\")",
+  "query": "event.category:process and event.type:(start or process_started) and process.name:shred and process.args:(\"-u\" or \"--remove\" or \"-z\" or \"--zero\")",
   "risk_score": 21,
   "rule_id": "a1329140-8de3-4445-9f87-908fb6d824f4",
   "severity": "low",
@@ -31,5 +35,5 @@
     }
   ],
   "type": "query",
-  "version": 1
+  "version": 2
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_file_mod_writable_dir.json

@@ -1,4 +1,7 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution.",
   "false_positives": [
     "Certain programs or applications may modify files or change ownership in writable directories. These can be exempted by username."
@@ -7,8 +10,9 @@
     "auditbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "File Permission Modification in Writable Directory",
-  "query": "event.action:executed and process.name:(chmod or chown or chattr or chgrp) and process.working_directory:(/tmp or /var/tmp or /dev/shm) and not user.name:root",
+  "query": "event.category:process and event.type:(start or process_started) and process.name:(chmod or chown or chattr or chgrp) and process.working_directory:(/tmp or /var/tmp or /dev/shm) and not user.name:root",
   "risk_score": 21,
   "rule_id": "9f9a2a82-93a8-4b1a-8778-1780895626d4",
   "severity": "low",
@@ -34,5 +38,5 @@
     }
   ],
   "type": "query",
-  "version": 1
+  "version": 2
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_guardduty_detector_deletion.json

@@ -0,0 +1,48 @@
+{
+  "author": [
+    "Elastic"
+  ],
+  "description": "Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.",
+  "false_positives": [
+    "The GuardDuty detector may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Detector deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+  ],
+  "from": "now-60m",
+  "index": [
+    "filebeat-*"
+  ],
+  "interval": "10m",
+  "language": "kuery",
+  "license": "Elastic License",
+  "name": "AWS GuardDuty Detector Deletion",
+  "query": "event.action:DeleteDetector and event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.outcome:success",
+  "references": [
+    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/guardduty/delete-detector.html",
+    "https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html"
+  ],
+  "risk_score": 73,
+  "rule_id": "523116c0-d89d-4d7c-82c2-39e6845a78ef",
+  "severity": "high",
+  "tags": [
+    "AWS",
+    "Elastic"
+  ],
+  "threat": [
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0005",
+        "name": "Defense Evasion",
+        "reference": "https://attack.mitre.org/tactics/TA0005/"
+      },
+      "technique": [
+        {
+          "id": "T1089",
+          "name": "Disabling Security Tools",
+          "reference": "https://attack.mitre.org/techniques/T1089/"
+        }
+      ]
+    }
+  ],
+  "type": "query",
+  "version": 1
+}

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_hex_encoding_or_decoding_activity.json

@@ -1,4 +1,7 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.",
   "false_positives": [
     "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values."
@@ -7,8 +10,9 @@
     "auditbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Hex Encoding/Decoding Activity",
-  "query": "event.action:(executed or process_started) and process.name:(hex or xxd)",
+  "query": "event.category:process and event.type:(start or process_started) and process.name:(hexdump or od or xxd)",
   "risk_score": 21,
   "rule_id": "a9198571-b135-4a76-b055-e3e5a476fd83",
   "severity": "low",
@@ -49,5 +53,5 @@
     }
   ],
   "type": "query",
-  "version": 1
+  "version": 2
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_hidden_file_dir_tmp.json

@@ -0,0 +1,58 @@
+{
+  "author": [
+    "Elastic"
+  ],
+  "description": "Users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories.",
+  "false_positives": [
+    "Certain tools may create hidden temporary files or directories upon installation or as part of their normal behavior. These events can be filtered by the process arguments, username, or process name values."
+  ],
+  "index": [
+    "auditbeat-*"
+  ],
+  "language": "lucene",
+  "license": "Elastic License",
+  "max_signals": 33,
+  "name": "Creation of Hidden Files and Directories",
+  "query": "event.category:process AND event.type:(start or process_started) AND process.working_directory:(\"/tmp\" or \"/var/tmp\" or \"/dev/shm\") AND process.args:/\\.[a-zA-Z0-9_\\-][a-zA-Z0-9_\\-\\.]{1,254}/ AND NOT process.name:(ls or find)",
+  "risk_score": 47,
+  "rule_id": "b9666521-4742-49ce-9ddc-b8e84c35acae",
+  "severity": "medium",
+  "tags": [
+    "Elastic",
+    "Linux"
+  ],
+  "threat": [
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0005",
+        "name": "Defense Evasion",
+        "reference": "https://attack.mitre.org/tactics/TA0005/"
+      },
+      "technique": [
+        {
+          "id": "T1158",
+          "name": "Hidden Files and Directories",
+          "reference": "https://attack.mitre.org/techniques/T1158/"
+        }
+      ]
+    },
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0003",
+        "name": "Persistence",
+        "reference": "https://attack.mitre.org/tactics/TA0003/"
+      },
+      "technique": [
+        {
+          "id": "T1158",
+          "name": "Hidden Files and Directories",
+          "reference": "https://attack.mitre.org/techniques/T1158/"
+        }
+      ]
+    }
+  ],
+  "type": "query",
+  "version": 1
+}

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_injection_msbuild.json

@@ -1,4 +1,7 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges.",
   "false_positives": [
     "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
@@ -7,6 +10,7 @@
     "winlogbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Process Injection by the Microsoft Build Engine",
   "query": "process.name:MSBuild.exe and event.action:\"CreateRemoteThread detected (rule: CreateRemoteThread)\"",
   "risk_score": 21,
@@ -49,5 +53,5 @@
     }
   ],
   "type": "query",
-  "version": 1
+  "version": 2
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_kernel_module_removal.json

@@ -1,4 +1,7 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module.",
   "false_positives": [
     "There is usually no reason to remove modules, but some buggy modules require it. These can be exempted by username. Note that some Linux distributions are not built to support the removal of modules at all."
@@ -7,8 +10,9 @@
     "auditbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Kernel Module Removal",
-  "query": "event.action:executed and process.args:(rmmod and sudo or modprobe and sudo and (\"--remove\" or \"-r\"))",
+  "query": "event.category:process and event.type:(start or process_started) and process.args:((rmmod and sudo) or (modprobe and sudo and (\"--remove\" or \"-r\")))",
   "references": [
     "http://man7.org/linux/man-pages/man8/modprobe.8.html"
   ],
@@ -52,5 +56,5 @@
     }
   ],
   "type": "query",
-  "version": 1
+  "version": 2
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_misc_lolbin_connecting_to_the_internet.json

@@ -1,11 +1,15 @@
 {
-  "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application whitelisting and signature validation.",
+  "author": [
+    "Elastic"
+  ],
+  "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation.",
   "index": [
     "winlogbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Network Connection via Signed Binary",
-  "query": "process.name:(expand.exe or extrac.exe or ieexec.exe or makecab.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+  "query": "event.category:network and event.type:connection and process.name:(expand.exe or extrac.exe or ieexec.exe or makecab.exe) and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
   "risk_score": 21,
   "rule_id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44",
   "severity": "low",
@@ -46,5 +50,5 @@
     }
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_modification_of_boot_config.json

@@ -1,11 +1,15 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.",
   "index": [
     "winlogbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Modification of Boot Configuration",
-  "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:bcdedit.exe and process.args:(/set and (bootstatuspolicy and ignoreallfailures or no and recoveryenabled))",
+  "query": "event.category:process and event.type:(start or process_started) and process.name:bcdedit.exe and process.args:(/set and (bootstatuspolicy and ignoreallfailures or no and recoveryenabled))",
   "risk_score": 21,
   "rule_id": "69c251fb-a5d6-4035-b5ec-40438bd829ff",
   "severity": "low",
@@ -31,5 +35,5 @@
     }
   ],
   "type": "query",
-  "version": 1
+  "version": 2
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_s3_bucket_configuration_deletion.json

@@ -0,0 +1,51 @@
+{
+  "author": [
+    "Elastic"
+  ],
+  "description": "Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components.",
+  "false_positives": [
+    "Bucket components may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Bucket component deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+  ],
+  "from": "now-60m",
+  "index": [
+    "filebeat-*"
+  ],
+  "interval": "10m",
+  "language": "kuery",
+  "license": "Elastic License",
+  "name": "AWS S3 Bucket Configuration Deletion",
+  "query": "event.action:(DeleteBucketPolicy or DeleteBucketReplication or DeleteBucketCors or DeleteBucketEncryption or DeleteBucketLifecycle) and event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and event.outcome:success",
+  "references": [
+    "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html",
+    "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html",
+    "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html",
+    "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html",
+    "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketLifecycle.html"
+  ],
+  "risk_score": 21,
+  "rule_id": "227dc608-e558-43d9-b521-150772250bae",
+  "severity": "low",
+  "tags": [
+    "AWS",
+    "Elastic"
+  ],
+  "threat": [
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0005",
+        "name": "Defense Evasion",
+        "reference": "https://attack.mitre.org/tactics/TA0005/"
+      },
+      "technique": [
+        {
+          "id": "T1070",
+          "name": "Indicator Removal on Host",
+          "reference": "https://attack.mitre.org/techniques/T1070/"
+        }
+      ]
+    }
+  ],
+  "type": "query",
+  "version": 1
+}

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_via_filter_manager.json

@@ -1,9 +1,13 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.",
   "index": [
     "winlogbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Potential Evasion via Filter Manager",
   "query": "event.code:1 and process.name:fltMC.exe",
   "risk_score": 21,
@@ -31,5 +35,5 @@
     }
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_volume_shadow_copy_deletion_via_vssadmin.json

@@ -1,11 +1,15 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Identifies use of vssadmin.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.",
   "index": [
     "winlogbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Volume Shadow Copy Deletion via VssAdmin",
-  "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:vssadmin.exe and process.args:(delete and shadows)",
+  "query": "event.category:process and event.type:(start or process_started) and process.name:vssadmin.exe and process.args:(delete and shadows)",
   "risk_score": 73,
   "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921",
   "severity": "high",
@@ -31,5 +35,5 @@
     }
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_volume_shadow_copy_deletion_via_wmic.json

@@ -1,11 +1,15 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.",
   "index": [
     "winlogbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Volume Shadow Copy Deletion via WMIC",
-  "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:WMIC.exe and process.args:(delete and shadowcopy)",
+  "query": "event.category:process and event.type:(start or process_started) and process.name:WMIC.exe and process.args:(delete and shadowcopy)",
   "risk_score": 73,
   "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57",
   "severity": "high",
@@ -31,5 +35,5 @@
     }
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_waf_acl_deletion.json

@@ -0,0 +1,48 @@
+{
+  "author": [
+    "Elastic"
+  ],
+  "description": "Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list.",
+  "false_positives": [
+    "Firewall ACL's may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Web ACL deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+  ],
+  "from": "now-60m",
+  "index": [
+    "filebeat-*"
+  ],
+  "interval": "10m",
+  "language": "kuery",
+  "license": "Elastic License",
+  "name": "AWS WAF Access Control List Deletion",
+  "query": "event.action:DeleteWebACL and event.dataset:aws.cloudtrail and event.outcome:success",
+  "references": [
+    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf-regional/delete-web-acl.html",
+    "https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_DeleteWebACL.html"
+  ],
+  "risk_score": 47,
+  "rule_id": "91d04cd4-47a9-4334-ab14-084abe274d49",
+  "severity": "medium",
+  "tags": [
+    "AWS",
+    "Elastic"
+  ],
+  "threat": [
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0005",
+        "name": "Defense Evasion",
+        "reference": "https://attack.mitre.org/tactics/TA0005/"
+      },
+      "technique": [
+        {
+          "id": "T1089",
+          "name": "Disabling Security Tools",
+          "reference": "https://attack.mitre.org/techniques/T1089/"
+        }
+      ]
+    }
+  ],
+  "type": "query",
+  "version": 1
+}

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_waf_rule_or_rule_group_deletion.json

@@ -0,0 +1,48 @@
+{
+  "author": [
+    "Elastic"
+  ],
+  "description": "Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group.",
+  "false_positives": [
+    "WAF rules or rule groups may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Rule deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+  ],
+  "from": "now-60m",
+  "index": [
+    "filebeat-*"
+  ],
+  "interval": "10m",
+  "language": "kuery",
+  "license": "Elastic License",
+  "name": "AWS WAF Rule or Rule Group Deletion",
+  "query": "event.module:aws and event.dataset:aws.cloudtrail and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success",
+  "references": [
+    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/delete-rule-group.html",
+    "https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_DeleteRuleGroup.html"
+  ],
+  "risk_score": 47,
+  "rule_id": "5beaebc1-cc13-4bfc-9949-776f9e0dc318",
+  "severity": "medium",
+  "tags": [
+    "AWS",
+    "Elastic"
+  ],
+  "threat": [
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0005",
+        "name": "Defense Evasion",
+        "reference": "https://attack.mitre.org/tactics/TA0005/"
+      },
+      "technique": [
+        {
+          "id": "T1089",
+          "name": "Disabling Security Tools",
+          "reference": "https://attack.mitre.org/techniques/T1089/"
+        }
+      ]
+    }
+  ],
+  "type": "query",
+  "version": 1
+}

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_kernel_module_enumeration.json

@@ -1,4 +1,7 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module.",
   "false_positives": [
     "Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username."
@@ -7,8 +10,9 @@
     "auditbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Enumeration of Kernel Modules",
-  "query": "event.action:executed and process.args:(kmod and list and sudo or sudo and (depmod or lsmod or modinfo))",
+  "query": "event.category:process and event.type:(start or process_started) and process.args:(kmod and list and sudo or sudo and (depmod or lsmod or modinfo))",
   "risk_score": 47,
   "rule_id": "2d8043ed-5bda-4caf-801c-c1feb7410504",
   "severity": "medium",
@@ -34,5 +38,5 @@
     }
   ],
   "type": "query",
-  "version": 1
+  "version": 2
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_net_command_system_account.json

@@ -1,11 +1,15 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Identifies the SYSTEM account using the Net utility. The Net utility is a component of the Windows operating system. It is used in command line operations for control of users, groups, services, and network connections.",
   "index": [
     "winlogbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Net command via SYSTEM account",
-  "query": "(process.name:net.exe or process.name:net1.exe and not process.parent.name:net.exe) and user.name:SYSTEM and event.action:\"Process Create (rule: ProcessCreate)\"",
+  "query": "event.category:process and event.type:(start or process_started) and (process.name:net.exe or process.name:net1.exe and not process.parent.name:net.exe) and user.name:SYSTEM",
   "risk_score": 21,
   "rule_id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed",
   "severity": "low",
@@ -31,5 +35,5 @@
     }
   ],
   "type": "query",
-  "version": 1
+  "version": 2
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_process_discovery_via_tasklist_command.json

@@ -1,4 +1,7 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Adversaries may attempt to get information about running processes on a system.",
   "false_positives": [
     "Administrators may use the tasklist command to display a list of currently running processes. By itself, it does not indicate malicious activity. After obtaining a foothold, it's possible adversaries may use discovery commands like tasklist to get information about running processes."
@@ -7,6 +10,7 @@
     "winlogbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Process Discovery via Tasklist",
   "query": "event.code:1 and process.name:tasklist.exe",
   "risk_score": 21,
@@ -34,5 +38,5 @@
     }
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_virtual_machine_fingerprinting.json

@@ -1,4 +1,7 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.",
   "false_positives": [
     "Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise."
@@ -7,8 +10,9 @@
     "auditbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Virtual Machine Fingerprinting",
-  "query": "event.action:executed and process.args:(\"/sys/class/dmi/id/bios_version\" or \"/sys/class/dmi/id/product_name\" or \"/sys/class/dmi/id/chassis_vendor\" or \"/proc/scsi/scsi\" or \"/proc/ide/hd0/model\") and not user.name:root",
+  "query": "event.category:process and event.type:(start or process_started) and process.args:(\"/sys/class/dmi/id/bios_version\" or \"/sys/class/dmi/id/product_name\" or \"/sys/class/dmi/id/chassis_vendor\" or \"/proc/scsi/scsi\" or \"/proc/ide/hd0/model\") and not user.name:root",
   "risk_score": 73,
   "rule_id": "5b03c9fb-9945-4d2f-9568-fd690fee3fba",
   "severity": "high",
@@ -34,5 +38,5 @@
     }
   ],
   "type": "query",
-  "version": 1
+  "version": 2
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_whoami_command_activity.json

@@ -1,4 +1,7 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Identifies use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system.",
   "false_positives": [
     "Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by non-engineers and ordinary users is unusual."
@@ -7,6 +10,7 @@
     "winlogbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Whoami Process Activity",
   "query": "process.name:whoami.exe and event.code:1",
   "risk_score": 21,
@@ -34,5 +38,5 @@
     }
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_whoami_commmand.json

@@ -1,4 +1,7 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "The whoami application was executed on a Linux host. This is often used by tools and persistence mechanisms to test for privileged access.",
   "false_positives": [
     "Security testing tools and frameworks may run this command. Some normal use of this command may originate from automation tools and frameworks."
@@ -7,8 +10,9 @@
     "auditbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "User Discovery via Whoami",
-  "query": "process.name:whoami and event.action:executed",
+  "query": "event.category:process and event.type:(start or process_started) and process.name:whoami",
   "risk_score": 21,
   "rule_id": "120559c6-5e24-49f4-9e30-8ffe697df6b9",
   "severity": "low",
@@ -34,5 +38,5 @@
     }
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint.json

@@ -0,0 +1,60 @@
+{
+  "author": [
+    "Elastic"
+  ],
+  "description": "Generates a detection alert each time an Elastic Endpoint alert is received. Enabling this rule allows you to immediately begin investigating your Elastic Endpoint alerts.",
+  "enabled": true,
+  "from": "now-10m",
+  "index": [
+    "logs-endpoint.alerts-*"
+  ],
+  "language": "kuery",
+  "license": "Elastic License",
+  "max_signals": 10000,
+  "name": "Elastic Endpoint",
+  "query": "event.kind:alert and event.module:(endpoint and not endgame)",
+  "risk_score": 47,
+  "risk_score_mapping": [
+    {
+      "field": "event.risk_score",
+      "operator": "equals",
+      "value": ""
+    }
+  ],
+  "rule_id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306",
+  "rule_name_override": "message",
+  "severity": "medium",
+  "severity_mapping": [
+    {
+      "field": "event.severity",
+      "operator": "equals",
+      "severity": "low",
+      "value": "21"
+    },
+    {
+      "field": "event.severity",
+      "operator": "equals",
+      "severity": "medium",
+      "value": "47"
+    },
+    {
+      "field": "event.severity",
+      "operator": "equals",
+      "severity": "high",
+      "value": "73"
+    },
+    {
+      "field": "event.severity",
+      "operator": "equals",
+      "severity": "critical",
+      "value": "99"
+    }
+  ],
+  "tags": [
+    "Elastic",
+    "Endpoint"
+  ],
+  "timestamp_override": "event.ingested",
+  "type": "query",
+  "version": 1
+}

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endpoint_adversary_behavior_detected.json

@@ -1,4 +1,7 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Elastic Endpoint detected an Adversary Behavior. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
   "from": "now-15m",
   "index": [
@@ -6,6 +9,7 @@
   ],
   "interval": "10m",
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Adversary Behavior - Detected - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and (event.action:rules_engine_event or endgame.event_subtype_full:rules_engine_event)",
   "risk_score": 47,
@@ -16,5 +20,5 @@
     "Endpoint"
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endpoint_cred_dumping_detected.json

@@ -1,4 +1,7 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Elastic Endpoint detected Credential Dumping. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
   "from": "now-15m",
   "index": [
@@ -6,6 +9,7 @@
   ],
   "interval": "10m",
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Credential Dumping - Detected - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)",
   "risk_score": 73,
@@ -16,5 +20,5 @@
     "Endpoint"
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endpoint_cred_dumping_prevented.json

@@ -1,4 +1,7 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Elastic Endpoint prevented Credential Dumping. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
   "from": "now-15m",
   "index": [
@@ -6,6 +9,7 @@
   ],
   "interval": "10m",
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Credential Dumping - Prevented - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)",
   "risk_score": 47,
@@ -16,5 +20,5 @@
     "Endpoint"
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endpoint_cred_manipulation_detected.json

@@ -1,4 +1,7 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Elastic Endpoint detected Credential Manipulation. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
   "from": "now-15m",
   "index": [
@@ -6,6 +9,7 @@
   ],
   "interval": "10m",
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Credential Manipulation - Detected - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)",
   "risk_score": 73,
@@ -16,5 +20,5 @@
     "Endpoint"
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endpoint_cred_manipulation_prevented.json

@@ -1,4 +1,7 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Elastic Endpoint prevented Credential Manipulation. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
   "from": "now-15m",
   "index": [
@@ -6,6 +9,7 @@
   ],
   "interval": "10m",
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Credential Manipulation - Prevented - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)",
   "risk_score": 47,
@@ -16,5 +20,5 @@
     "Endpoint"
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endpoint_exploit_detected.json

@@ -1,4 +1,7 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Elastic Endpoint detected an Exploit. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
   "from": "now-15m",
   "index": [
@@ -6,6 +9,7 @@
   ],
   "interval": "10m",
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Exploit - Detected - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)",
   "risk_score": 73,
@@ -16,5 +20,5 @@
     "Endpoint"
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endpoint_exploit_prevented.json

@@ -1,4 +1,7 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Elastic Endpoint prevented an Exploit. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
   "from": "now-15m",
   "index": [
@@ -6,6 +9,7 @@
   ],
   "interval": "10m",
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Exploit - Prevented - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)",
   "risk_score": 47,
@@ -16,5 +20,5 @@
     "Endpoint"
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endpoint_malware_detected.json

@@ -1,4 +1,7 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Elastic Endpoint detected Malware. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
   "from": "now-15m",
   "index": [
@@ -6,6 +9,7 @@
   ],
   "interval": "10m",
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Malware - Detected - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)",
   "risk_score": 99,
@@ -16,5 +20,5 @@
     "Endpoint"
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endpoint_malware_prevented.json

@@ -1,4 +1,7 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Elastic Endpoint prevented Malware. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
   "from": "now-15m",
   "index": [
@@ -6,6 +9,7 @@
   ],
   "interval": "10m",
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Malware - Prevented - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)",
   "risk_score": 73,
@@ -16,5 +20,5 @@
     "Endpoint"
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endpoint_permission_theft_detected.json

@@ -1,4 +1,7 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Elastic Endpoint detected Permission Theft. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
   "from": "now-15m",
   "index": [
@@ -6,6 +9,7 @@
   ],
   "interval": "10m",
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Permission Theft - Detected - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)",
   "risk_score": 73,
@@ -16,5 +20,5 @@
     "Endpoint"
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endpoint_permission_theft_prevented.json

@@ -1,4 +1,7 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Elastic Endpoint prevented Permission Theft. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
   "from": "now-15m",
   "index": [
@@ -6,6 +9,7 @@
   ],
   "interval": "10m",
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Permission Theft - Prevented - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)",
   "risk_score": 47,
@@ -16,5 +20,5 @@
     "Endpoint"
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endpoint_process_injection_detected.json

@@ -1,4 +1,7 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Elastic Endpoint detected Process Injection. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
   "from": "now-15m",
   "index": [
@@ -6,6 +9,7 @@
   ],
   "interval": "10m",
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Process Injection - Detected - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)",
   "risk_score": 73,
@@ -16,5 +20,5 @@
     "Endpoint"
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endpoint_process_injection_prevented.json

@@ -1,4 +1,7 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Elastic Endpoint prevented Process Injection. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
   "from": "now-15m",
   "index": [
@@ -6,6 +9,7 @@
   ],
   "interval": "10m",
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Process Injection - Prevented - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)",
   "risk_score": 47,
@@ -16,5 +20,5 @@
     "Endpoint"
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endpoint_ransomware_detected.json

@@ -1,4 +1,7 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Elastic Endpoint detected Ransomware. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
   "from": "now-15m",
   "index": [
@@ -6,6 +9,7 @@
   ],
   "interval": "10m",
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Ransomware - Detected - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)",
   "risk_score": 99,
@@ -16,5 +20,5 @@
     "Endpoint"
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endpoint_ransomware_prevented.json

@@ -1,4 +1,7 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Elastic Endpoint prevented Ransomware. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
   "from": "now-15m",
   "index": [
@@ -6,6 +9,7 @@
   ],
   "interval": "10m",
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Ransomware - Prevented - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)",
   "risk_score": 73,
@@ -16,5 +20,5 @@
     "Endpoint"
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json

@@ -1,35 +0,0 @@
-{
-  "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.",
-  "index": [
-    "winlogbeat-*"
-  ],
-  "language": "kuery",
-  "name": "Suspicious MS Office Child Process",
-  "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or powerpnt.exe or winword.exe) and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)",
-  "risk_score": 21,
-  "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f",
-  "severity": "low",
-  "tags": [
-    "Elastic",
-    "Windows"
-  ],
-  "threat": [
-    {
-      "framework": "MITRE ATT&CK",
-      "tactic": {
-        "id": "TA0002",
-        "name": "Execution",
-        "reference": "https://attack.mitre.org/tactics/TA0002/"
-      },
-      "technique": [
-        {
-          "id": "T1193",
-          "name": "Spearphishing Attachment",
-          "reference": "https://attack.mitre.org/techniques/T1193/"
-        }
-      ]
-    }
-  ],
-  "type": "query",
-  "version": 2
-}

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json

@@ -1,35 +0,0 @@
-{
-  "description": "Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.",
-  "index": [
-    "winlogbeat-*"
-  ],
-  "language": "kuery",
-  "name": "Suspicious MS Outlook Child Process",
-  "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:outlook.exe and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)",
-  "risk_score": 21,
-  "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e",
-  "severity": "low",
-  "tags": [
-    "Elastic",
-    "Windows"
-  ],
-  "threat": [
-    {
-      "framework": "MITRE ATT&CK",
-      "tactic": {
-        "id": "TA0002",
-        "name": "Execution",
-        "reference": "https://attack.mitre.org/tactics/TA0002/"
-      },
-      "technique": [
-        {
-          "id": "T1193",
-          "name": "Spearphishing Attachment",
-          "reference": "https://attack.mitre.org/techniques/T1193/"
-        }
-      ]
-    }
-  ],
-  "type": "query",
-  "version": 2
-}

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json

@@ -1,35 +0,0 @@
-{
-  "description": "Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.",
-  "index": [
-    "winlogbeat-*"
-  ],
-  "language": "kuery",
-  "name": "Unusual Parent-Child Relationship",
-  "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.executable:* and (process.name:smss.exe and not process.parent.name:(System or smss.exe) or process.name:csrss.exe and not process.parent.name:(smss.exe or svchost.exe) or process.name:wininit.exe and not process.parent.name:smss.exe or process.name:winlogon.exe and not process.parent.name:smss.exe or process.name:lsass.exe and not process.parent.name:wininit.exe or process.name:LogonUI.exe and not process.parent.name:(wininit.exe or winlogon.exe) or process.name:services.exe and not process.parent.name:wininit.exe or process.name:svchost.exe and not process.parent.name:(MsMpEng.exe or services.exe) or process.name:spoolsv.exe and not process.parent.name:services.exe or process.name:taskhost.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:taskhostw.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:userinit.exe and not process.parent.name:(dwm.exe or winlogon.exe))",
-  "risk_score": 47,
-  "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b",
-  "severity": "medium",
-  "tags": [
-    "Elastic",
-    "Windows"
-  ],
-  "threat": [
-    {
-      "framework": "MITRE ATT&CK",
-      "tactic": {
-        "id": "TA0004",
-        "name": "Privilege Escalation",
-        "reference": "https://attack.mitre.org/tactics/TA0004/"
-      },
-      "technique": [
-        {
-          "id": "T1093",
-          "name": "Process Hollowing",
-          "reference": "https://attack.mitre.org/techniques/T1093/"
-        }
-      ]
-    }
-  ],
-  "type": "query",
-  "version": 2
-}

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_prompt_connecting_to_the_internet.json

@@ -1,4 +1,7 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a remote URL.",
   "false_positives": [
     "Administrators may use the command prompt for regular administrative tasks. It's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool."
@@ -7,8 +10,9 @@
     "winlogbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Command Prompt Network Connection",
-  "query": "process.name:cmd.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+  "query": "event.category:network and event.type:connection and process.name:cmd.exe and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
   "risk_score": 21,
   "rule_id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696",
   "severity": "low",
@@ -49,5 +53,5 @@
     }
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_started_by_powershell.json

@@ -1,11 +1,15 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from PowerShell.exe.",
   "index": [
     "winlogbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "PowerShell spawning Cmd",
-  "query": "process.parent.name:powershell.exe and process.name:cmd.exe",
+  "query": "event.category:process and event.type:(start or process_started) and process.parent.name:powershell.exe and process.name:cmd.exe",
   "risk_score": 21,
   "rule_id": "0f616aee-8161-4120-857e-742366f5eeb3",
   "severity": "low",
@@ -46,5 +50,5 @@
     }
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_started_by_svchost.json

@@ -1,11 +1,15 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe",
   "index": [
     "winlogbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Svchost spawning Cmd",
-  "query": "process.parent.name:svchost.exe and process.name:cmd.exe",
+  "query": "event.category:process and event.type:(start or process_started) and process.parent.name:svchost.exe and process.name:cmd.exe",
   "risk_score": 21,
   "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2",
   "severity": "low",
@@ -31,5 +35,5 @@
     }
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_html_help_executable_program_connecting_to_the_internet.json

@@ -1,11 +1,15 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).",
   "index": [
     "winlogbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Network Connection via Compiled HTML File",
-  "query": "process.name:hh.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+  "query": "event.category:network and event.type:connection and process.name:hh.exe and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
   "risk_score": 21,
   "rule_id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8",
   "severity": "low",
@@ -46,5 +50,5 @@
     }
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_local_service_commands.json

@@ -1,11 +1,15 @@
 {
+  "author": [
+    "Elastic"
+  ],
   "description": "Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.",
   "index": [
     "winlogbeat-*"
   ],
   "language": "kuery",
+  "license": "Elastic License",
   "name": "Local Service Commands",
-  "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:sc.exe and process.args:(config or create or failure or start)",
+  "query": "event.category:process and event.type:(start or process_started) and process.name:sc.exe and process.args:(config or create or failure or start)",
   "risk_score": 21,
   "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95",
   "severity": "low",
@@ -31,5 +35,5 @@
     }
   ],
   "type": "query",
-  "version": 2
+  "version": 3
 }