diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_detect_large_outbound_icmp_packets.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_detect_large_outbound_icmp_packets.json deleted file mode 100644 index faa1c97e4bada..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_detect_large_outbound_icmp_packets.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Network - Detect Large Outbound ICMP Packets", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Network - Detect Large Outbound ICMP Packets", - "query": "network.transport:icmp and network.bytes>1000 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "risk_score": 50, - "rule_id": "4fce2a7e-0e11-4f17-bae3-8873c5ae62be", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_detect_long_dns_txt_record_response.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_detect_long_dns_txt_record_response.json deleted file mode 100644 index f034e4999107f..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_detect_long_dns_txt_record_response.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Network - Detect Long DNS TXT Record Response", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Network - Detect Long DNS TXT Record Response", - "query": "network.protocol:dns and server.bytes>100 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16 and not destination.ip:169.254.169.254 and not destination.ip:127.0.0.53", - "risk_score": 50, - "rule_id": "cc28f445-318e-4850-8b0d-5ad53eaded74", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_protocols_passing_authentication_in_cleartext.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_protocols_passing_authentication_in_cleartext.json deleted file mode 100644 index d1b5f6be75040..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_protocols_passing_authentication_in_cleartext.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Network - Protocols passing authentication in cleartext", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Network - Protocols passing authentication in cleartext", - "query": "destination.port:(21 or 23 or 110 or 143) and network.transport:tcp", - "risk_score": 50, - "rule_id": "31f32b3c-415a-4a18-b60f-5748a337246b", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_child_processes_of_spoolsvexe.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_child_processes_of_spoolsvexe.json deleted file mode 100644 index 60d5ffe918585..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_child_processes_of_spoolsvexe.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Windows - Child Processes of Spoolsv.exe", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Windows - Child Processes of Spoolsv.exe", - "query": "process.parent.name:spoolsv.exe and not process.name:regsvr32.exe ", - "risk_score": 50, - "rule_id": "dcc45d35-f42e-4f97-81e8-90b0597ea0d1", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_new_local_admin_account.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_new_local_admin_account.json deleted file mode 100644 index ca27234b0d8ae..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_new_local_admin_account.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Windows - Detect New Local Admin account", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Windows - Detect New Local Admin account", - "query": "event.code:(4720 or 4732) and winlog.event_data.TargetUserName:Administrators", - "risk_score": 50, - "rule_id": "461db51b-b1a1-49de-ac63-e1bcbd445602", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_psexec_with_accepteula_flag.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_psexec_with_accepteula_flag.json deleted file mode 100644 index 25dcd8234e092..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_psexec_with_accepteula_flag.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Windows - Detect PsExec With accepteula Flag", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Windows - Detect PsExec With accepteula Flag", - "query": "process.name:PsExec.exe and process.args:\"-accepteula\"", - "risk_score": 50, - "rule_id": "304b0e0c-bd06-46f8-aeda-2e719ae434d1", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_use_of_cmdexe_to_launch_script_interpreters.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_use_of_cmdexe_to_launch_script_interpreters.json deleted file mode 100644 index 70d06ca9a4777..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_use_of_cmdexe_to_launch_script_interpreters.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Windows - Detect Use of cmd.exe to Launch Script Interpreters", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Windows - Detect Use of cmd.exe to Launch Script Interpreters", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"wscript.exe\" or \"cscript.exe\") and process.parent.name:\"cmd.exe\"", - "risk_score": 50, - "rule_id": "b17c215e-8fa5-4087-b8d1-87761a90d710", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_new_external_device.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_new_external_device.json deleted file mode 100644 index 9dbc8d7cbb7ed..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_new_external_device.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Windows - New External Device Attached", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Windows - New External Device Attached", - "query": "event.code:6416", - "risk_score": 50, - "rule_id": "c0747553-5763-5d85-cd97-898f2daa2bde", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_processes_created_by_netsh.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_processes_created_by_netsh.json deleted file mode 100644 index 3f4e1a6243a96..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_processes_created_by_netsh.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Windows - Processes created by netsh", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Windows - Processes created by netsh", - "query": "process.parent.name:netsh.exe", - "risk_score": 50, - "rule_id": "e312dd9e-4760-4a71-a241-9b9a835a51c4", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_processes_launching_netsh.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_processes_launching_netsh.json deleted file mode 100644 index 34d08d7596e11..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_processes_launching_netsh.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Windows - Processes launching netsh", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Windows - Processes launching netsh", - "query": "process.name:netsh.exe and event.action:\"Process Create (rule: ProcessCreate)\" ", - "risk_score": 50, - "rule_id": "3b8db8aa-5734-405e-8dda-703129078a35", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_windows_event_log_cleared.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_windows_event_log_cleared.json deleted file mode 100644 index bd82247203f00..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_windows_event_log_cleared.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Windows - Windows Event Log Cleared", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Windows - Windows Event Log Cleared", - "query": "event.code:(1102 or 1100)", - "risk_score": 50, - "rule_id": "b94b5177-ca7f-468a-9a1d-aef39c30a3ae", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_child_processes_of_spoolsvexe.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_child_processes_of_spoolsvexe.json deleted file mode 100644 index e20197dfd2c92..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_child_processes_of_spoolsvexe.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Splunk - Child Processes of Spoolsv.exe", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Splunk - Child Processes of Spoolsv.exe", - "query": "process.parent.name:spoolsv.exe and not process.name:regsvr32.exe ", - "risk_score": 50, - "rule_id": "2f026c73-bb63-455e-abdf-f11f463acf0d", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_large_outbound_icmp_packets.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_large_outbound_icmp_packets.json deleted file mode 100644 index 11186bfb44d62..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_large_outbound_icmp_packets.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Splunk - Detect Large Outbound ICMP Packets", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Splunk - Detect Large Outbound ICMP Packets", - "query": "network.transport:icmp and network.bytes>1000 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "risk_score": 50, - "rule_id": "e108c0c6-5ee8-47a0-8c23-ec47ba3a9b00", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_long_dns_txt_record_response.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_long_dns_txt_record_response.json deleted file mode 100644 index 724985b2d1de8..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_long_dns_txt_record_response.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Splunk - Detect Long DNS TXT Record Response", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Splunk - Detect Long DNS TXT Record Response", - "query": "network.protocol:dns and server.bytes>100 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16 and not destination.ip:169.254.169.254 and not destination.ip:127.0.0.53", - "risk_score": 50, - "rule_id": "2cdf84be-1c9c-4184-9880-75b9a6ddeaba", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_new_local_admin_account.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_new_local_admin_account.json deleted file mode 100644 index c0e773f09b168..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_new_local_admin_account.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Splunk - Detect New Local Admin account", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Splunk - Detect New Local Admin account", - "query": "event.code:(4720 or 4732) and winlog.event_data.TargetUserName:Administrators", - "risk_score": 50, - "rule_id": "030fc8e4-2c5f-4cc9-a6bd-2b6b7b98ae16", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_psexec_with_accepteula_flag.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_psexec_with_accepteula_flag.json deleted file mode 100644 index f9ad5793f2547..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_psexec_with_accepteula_flag.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Splunk - Detect PsExec With accepteula Flag", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Splunk - Detect PsExec With accepteula Flag", - "query": "process.name:PsExec.exe and process.args:\"-accepteula\"", - "risk_score": 50, - "rule_id": "4b63cf13-9043-41e3-84ec-6e39eb0d407e", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_use_of_cmdexe_to_launch_script_interpreters.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_use_of_cmdexe_to_launch_script_interpreters.json deleted file mode 100644 index 0a67c3adeaea5..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_use_of_cmdexe_to_launch_script_interpreters.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Splunk - Detect Use of cmd.exe to Launch Script Interpreters", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Splunk - Detect Use of cmd.exe to Launch Script Interpreters", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"wscript.exe\" or \"cscript.exe\") and process.parent.name:\"cmd.exe\"", - "risk_score": 50, - "rule_id": "f4388e4c-ec3d-41b3-be5c-27c11f61473c", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_created_by_netsh.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_created_by_netsh.json deleted file mode 100644 index 466f9aff01942..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_created_by_netsh.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Splunk - Processes created by netsh", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Splunk - Processes created by netsh", - "query": "process.parent.name:netsh.exe", - "risk_score": 50, - "rule_id": "ce7a0bde-7406-4729-a075-a215f4571ff6", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_launching_netsh.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_launching_netsh.json deleted file mode 100644 index cc54721cd92f2..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_launching_netsh.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Splunk - Processes launching netsh", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Splunk - Processes launching netsh", - "query": "process.name:netsh.exe and event.action:\"Process Create (rule: ProcessCreate)\" ", - "risk_score": 50, - "rule_id": "600dba95-f1c6-4a4d-aae1-c79cbd8a5ddd", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_protocols_passing_authentication_in_cleartext.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_protocols_passing_authentication_in_cleartext.json deleted file mode 100644 index c68e074d43817..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_protocols_passing_authentication_in_cleartext.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Splunk - Protocols passing authentication in cleartext", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Splunk - Protocols passing authentication in cleartext", - "query": "destination.port:(21 or 23 or 110 or 143) and network.transport:tcp", - "risk_score": 50, - "rule_id": "f4442e7f-856a-4a4a-851b-c1f9b97b0d39", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_windows_event_log_cleared.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_windows_event_log_cleared.json deleted file mode 100644 index 5f36d6623bcfb..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_windows_event_log_cleared.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Splunk - Windows Event Log Cleared", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Splunk - Windows Event Log Cleared", - "query": "event.code:(1102 or 1100)", - "risk_score": 50, - "rule_id": "c0747553-4652-4e74-bc86-898f2daa2bde", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -}