diff --git a/docs/visualize/tilemap.asciidoc b/docs/visualize/tilemap.asciidoc index a4d995982bdc7..2b499d098a956 100644 --- a/docs/visualize/tilemap.asciidoc +++ b/docs/visualize/tilemap.asciidoc @@ -1,105 +1,72 @@ [[tilemap]] -== Coordinate Maps +== Coordinate map -A coordinate map displays a geographic area overlaid with circles keyed to the data determined by the buckets you specify. +Coordinate maps display geographic areas overlaid with circles keyed to the data determined by the buckets you specify. To use coordinate maps, you plot latitude and longitude coordinates. -Kibana’s out-of-the-box settings do not show a coordinate map in the New Visualization menu. Use <> instead, which offers more functionality and is easier to use. -If you want to create new coordinate map visualizations, set `xpack.maps.showMapVisualizationTypes` to `true`. +NOTE: Coordinate maps have been replaced with <>, which offers more functionality and is easier to use. -Kibana uses the https://www.elastic.co/elastic-maps-service[Elastic Maps Service] -to display map tiles. To use other tile service providers, configure the <> +To create coordinate maps in Visualize: + +* Set `xpack.maps.showMapVisualizationTypes` to `true`. + +* To display map tiles, {kib} uses the https://www.elastic.co/elastic-maps-service[Elastic Maps Service]. +To use other tile service providers, configure the <> in `kibana.yml`. [float] -[[tilemap-configuration]] -=== Configuration +[[coordinate-map-aggregation]] +=== Supported aggregations -[float] -==== Data +Coordinate maps support the metric and bucket aggregations. [float] -===== Metrics - -The default _metrics_ aggregation for a coordinate map is the *Count* aggregation. You can select any of the following -aggregations as the metrics aggregation: - -*Count*:: The {ref}/search-aggregations-metrics-valuecount-aggregation.html[_count_] aggregation returns a raw count of -the elements in the selected index pattern. -*Average*:: This aggregation returns the {ref}/search-aggregations-metrics-avg-aggregation.html[_average_] of a numeric -field. Select a field from the drop-down. -*Sum*:: The {ref}/search-aggregations-metrics-sum-aggregation.html[_sum_] aggregation returns the total sum of a numeric -field. Select a field from the drop-down. -*Min*:: The {ref}/search-aggregations-metrics-min-aggregation.html[_min_] aggregation returns the minimum value of a -numeric field. Select a field from the drop-down. -*Max*:: The {ref}/search-aggregations-metrics-max-aggregation.html[_max_] aggregation returns the maximum value of a -numeric field. Select a field from the drop-down. -*Unique Count*:: The {ref}/search-aggregations-metrics-cardinality-aggregation.html[_cardinality_] aggregation returns -the number of unique values in a field. Select a field from the drop-down. - -Enter a string in the *Custom Label* field to change the display label. +===== Metric aggregations -[float] -===== Buckets +The following metric aggregations are supported: -Coordinate maps use the {ref}/search-aggregations-bucket-geohashgrid-aggregation.html[_geohash_] aggregation. Select a field, typically coordinates, from the -drop-down. +{ref}/search-aggregations-metrics-valuecount-aggregation.html[Count]:: Returns a raw count of +the elements in the index pattern. The default metrics aggregation for a coordinate map is *Count*. -- The _Change precision on map zoom_ box is checked by default. Uncheck the box to disable this behavior. -The _Precision_ slider determines the granularity of the results displayed on the map. See the documentation -for the {ref}/search-aggregations-bucket-geohashgrid-aggregation.html#_cell_dimensions_at_the_equator[geohash grid] -aggregation for details on the area specified by each precision level. +{ref}/search-aggregations-metrics-avg-aggregation.html[Average]:: Returns the average of a numeric +field. -NOTE: Higher precisions increase memory usage for the browser displaying Kibana as well as for the underlying -Elasticsearch cluster. +{ref}/search-aggregations-metrics-sum-aggregation.html[Sum]:: Returns the total sum of a numeric +field. -- The _place markers off grid (use {ref}/search-aggregations-metrics-geocentroid-aggregation.html[geocentroid])_ box is checked by default. When this box is checked, the markers are -placed in the center of all the documents in that bucket. When unchecked, the markers are placed in the center -of the geohash grid cell. Leaving this checked generally results in a more accurate visualization. +{ref}/search-aggregations-metrics-min-aggregation.html[Min]:: Returns the minimum value of a +numeric field. +{ref}/search-aggregations-metrics-max-aggregation.html[Max]:: Returns the maximum value of a +numeric field. -Enter a string in the *Custom Label* field to change the display label. +{ref}/search-aggregations-metrics-cardinality-aggregation.html[Unique Count]:: Returns +the number of unique values in a field. [float] -==== Options - -*Map type*:: Select one of the following options from the drop-down. -*_Scaled Circle Markers_*:: Scale the size of the markers based on the metric aggregation's value. -*_Shaded Circle Markers_*:: Displays the markers with different shades based on the metric aggregation's value. -*_Shaded Geohash Grid_*:: Displays the rectangular cells of the geohash grid instead of circular markers, with different -shades based on the metric aggregation's value. -*_Heatmap_*:: A heat map applies blurring to the circle markers and applies shading based on the amount of overlap. -Heatmaps have the following options: - -* *Cluster size*: Adjust the size of the heatmap clustering. -* *Show Tooltip*: Check this box to have a tooltip with the values for a given dot when the cursor is on that dot. - -*Desaturate map tiles*:: Desaturate the map's color in order to make the markers stand out more clearly. -*WMS compliant map server*:: Check this box to enable the use of a third-party mapping service that complies with the Web -Map Service (WMS) standard. Specify the following elements: - -* *WMS url*: The URL for the WMS map service. -* *WMS layers*: A comma-separated list of the layers to use in this visualization. Each map server provides its own list of -layers. -* *WMS version*: The WMS version used by this map service. -* *WMS format*: The image format used by this map service. The two most common formats are `image/png` and `image/jpeg`. -* *WMS attribution*: An optional, user-defined string that identifies the map source. Maps display the attribution string -in the lower right corner. -* *WMS styles*: A comma-separated list of the styles to use in this visualization. Each map server provides its own styling -options. - -After changing options, click the *Apply changes* button to update your visualization, or the grey *Discard -changes* button to keep your visualization in its current state. +[[coordinate-bucket-aggregation]] +===== Bucket aggregation + +Coordinate maps support the {ref}/search-aggregations-bucket-geohashgrid-aggregation.html[_geohash_] bucket aggregation. + +When you deselect *Change precision on map zoom*, the *Precision* slider appears. The *Precision* slider determines the granularity of the results displayed on the map. For details on the area specified by each precision level, refer to {ref}/search-aggregations-bucket-geohashgrid-aggregation.html#_cell_dimensions_at_the_equator[geohash grid]. + +NOTE: Higher precisions increase memory usage for the browser that displays {kib} and the underlying +{es} cluster. + +When you select *Place markers off grid (use {ref}/search-aggregations-metrics-geocentroid-aggregation.html[geocentroid])*, the markers are +placed in the center of all documents in the bucket, and a more accurate visualization is created. +NOTE: When you have multiple values in the geo_point, the coordinate map is unable to accurately calculate the geo_centroid. + +When you deselect *Place markers off grid (use {ref}/search-aggregations-metrics-geocentroid-aggregation.html[geocentroid])*, the markers are placed in the center +of the geohash grid cell. [float] [[navigate-map]] -=== Navigating the Map +=== Navigate the coordinate map -Once your tilemap visualization is ready, you can explore the map in several ways: +Use the following navigation options: -* Click and hold anywhere on the map and move the cursor to move the map center. Hold Shift and drag a bounding box -across the map to zoom in on the selection. -* Click the *Zoom In/Out* image:images/viz-zoom.png[] buttons to change the zoom level manually. -* Click the *Fit Data Bounds* image:images/viz-fit-bounds.png[] button to automatically crop the map boundaries to the -geohash buckets that have at least one result. -* Click the *Latitude/Longitude Filter* image:images/viz-lat-long-filter.png[] button, then drag a bounding box across the -map, to create a filter for the box coordinates. +* To move the map center, click and hold anywhere on the map and move the cursor. +* To change the zoom level, click *Zoom In* or *Zoom out* image:images/viz-zoom.png[]. +* To automatically crop the map boundaries to the +geohash buckets that have at least one result, click *Fit Data Bounds* image:images/viz-fit-bounds.png[]. diff --git a/x-pack/legacy/plugins/canvas/canvas_plugin_src/renderers/time_filter/components/time_picker_popover/time_picker_popover.tsx b/x-pack/legacy/plugins/canvas/canvas_plugin_src/renderers/time_filter/components/time_picker_popover/time_picker_popover.tsx index 1dafd7ba648c3..8f6061b688319 100644 --- a/x-pack/legacy/plugins/canvas/canvas_plugin_src/renderers/time_filter/components/time_picker_popover/time_picker_popover.tsx +++ b/x-pack/legacy/plugins/canvas/canvas_plugin_src/renderers/time_filter/components/time_picker_popover/time_picker_popover.tsx @@ -42,7 +42,16 @@ export const TimePickerPopover: FunctionComponent = ({ from, to, onSelect anchorClassName="canvasTimePickerPopover__anchor" button={button} > - {() => } + {({ closePopover }) => ( + { + onSelect(...args); + closePopover(); + }} + /> + )} ); }; diff --git a/x-pack/legacy/plugins/canvas/public/components/element_wrapper/index.js b/x-pack/legacy/plugins/canvas/public/components/element_wrapper/index.js index 1934eab85d034..60c7e731691fa 100644 --- a/x-pack/legacy/plugins/canvas/public/components/element_wrapper/index.js +++ b/x-pack/legacy/plugins/canvas/public/components/element_wrapper/index.js @@ -58,7 +58,9 @@ function selectorFactory(dispatch) { export const ElementWrapper = compose( connectAdvanced(selectorFactory), withPropsOnChange( - (props, nextProps) => !isEqual(props.element, nextProps.element), + (props, nextProps) => + !isEqual(props.element, nextProps.element) || + !isEqual(props.selectedPage, nextProps.selectedPage), props => { const { element, createHandlers } = props; const handlers = createHandlers(element, props.selectedPage); diff --git a/x-pack/legacy/plugins/canvas/public/components/workpad_header/workpad_export/index.ts b/x-pack/legacy/plugins/canvas/public/components/workpad_header/workpad_export/index.ts index a8ae785adafc1..2b2a582fb4526 100644 --- a/x-pack/legacy/plugins/canvas/public/components/workpad_header/workpad_export/index.ts +++ b/x-pack/legacy/plugins/canvas/public/components/workpad_header/workpad_export/index.ts @@ -62,12 +62,8 @@ export const WorkpadExport = compose( enabled, getExportUrl: type => { if (type === 'pdf') { - const { createPdfUri } = getPdfUrl( - workpad, - { pageCount }, - kibana.services.http.basePath.prepend - ); - return getAbsoluteUrl(createPdfUri); + const pdfUrl = getPdfUrl(workpad, { pageCount }, kibana.services.http.basePath.prepend); + return getAbsoluteUrl(pdfUrl); } throw new Error(strings.getUnknownExportErrorMessage(type)); diff --git a/x-pack/legacy/plugins/canvas/public/components/workpad_header/workpad_export/utils.test.ts b/x-pack/legacy/plugins/canvas/public/components/workpad_header/workpad_export/utils.test.ts new file mode 100644 index 0000000000000..ceaf82c1c07d6 --- /dev/null +++ b/x-pack/legacy/plugins/canvas/public/components/workpad_header/workpad_export/utils.test.ts @@ -0,0 +1,37 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +jest.mock('../../../../common/lib/fetch'); + +import { getPdfUrl, createPdf } from './utils'; +import { workpads } from '../../../../__tests__/fixtures/workpads'; +import { fetch } from '../../../../common/lib/fetch'; + +const addBasePath = jest.fn().mockImplementation(s => `basepath/${s}`); +const workpad = workpads[0]; + +test('getPdfUrl returns the correct url', () => { + const url = getPdfUrl(workpad, { pageCount: 2 }, addBasePath); + + expect(url).toMatchInlineSnapshot( + `"basepath//api/reporting/generate/printablePdf?jobParams=(browserTimezone:America%2FPhoenix,layout:(dimensions:(height:0,width:0),id:preserve_layout),objectType:'canvas%20workpad',relativeUrls:!(%2Fapp%2Fcanvas%23%2Fexport%2Fworkpad%2Fpdf%2Fbase-workpad%2Fpage%2F1,%2Fapp%2Fcanvas%23%2Fexport%2Fworkpad%2Fpdf%2Fbase-workpad%2Fpage%2F2),title:'base%20workpad')"` + ); +}); + +test('createPdf posts to create the pdf', () => { + createPdf(workpad, { pageCount: 2 }, addBasePath); + + expect(fetch.post).toBeCalled(); + + const args = (fetch.post as jest.MockedFunction).mock.calls[0]; + + expect(args[0]).toMatchInlineSnapshot(`"basepath//api/reporting/generate/printablePdf"`); + expect(args[1]).toMatchInlineSnapshot(` + Object { + "jobParams": "(browserTimezone:America/Phoenix,layout:(dimensions:(height:0,width:0),id:preserve_layout),objectType:'canvas workpad',relativeUrls:!(/app/canvas#/export/workpad/pdf/base-workpad/page/1,/app/canvas#/export/workpad/pdf/base-workpad/page/2),title:'base workpad')", + } + `); +}); diff --git a/x-pack/legacy/plugins/canvas/public/components/workpad_header/workpad_export/utils.ts b/x-pack/legacy/plugins/canvas/public/components/workpad_header/workpad_export/utils.ts index f0ca5fac1d271..f7f191a48de82 100644 --- a/x-pack/legacy/plugins/canvas/public/components/workpad_header/workpad_export/utils.ts +++ b/x-pack/legacy/plugins/canvas/public/components/workpad_header/workpad_export/utils.ts @@ -7,6 +7,7 @@ import rison from 'rison-node'; // @ts-ignore Untyped local. import { fetch } from '../../../../common/lib/fetch'; +import { getStartPlugins } from '../../../legacy'; import { CanvasWorkpad } from '../../../../types'; // type of the desired pdf output (print or preserve_layout) @@ -25,7 +26,7 @@ interface PdfUrlData { createPdfPayload: { jobParams: string }; } -export function getPdfUrl( +function getPdfUrlParts( { id, name: title, width, height }: CanvasWorkpad, { pageCount }: PageCount, addBasePath: (path: string) => string @@ -68,7 +69,16 @@ export function getPdfUrl( }; } +export function getPdfUrl(...args: Arguments): string { + const urlParts = getPdfUrlParts(...args); + + return `${urlParts.createPdfUri}?${getStartPlugins().__LEGACY.QueryString.param( + 'jobParams', + urlParts.createPdfPayload.jobParams + )}`; +} + export function createPdf(...args: Arguments) { - const { createPdfUri, createPdfPayload } = getPdfUrl(...args); + const { createPdfUri, createPdfPayload } = getPdfUrlParts(...args); return fetch.post(createPdfUri, createPdfPayload); } diff --git a/x-pack/legacy/plugins/canvas/public/legacy.ts b/x-pack/legacy/plugins/canvas/public/legacy.ts index 49b88ee60921a..61e12893b3e02 100644 --- a/x-pack/legacy/plugins/canvas/public/legacy.ts +++ b/x-pack/legacy/plugins/canvas/public/legacy.ts @@ -15,6 +15,8 @@ import { absoluteToParsedUrl } from 'ui/url/absolute_to_parsed_url'; // eslint-d import { Storage } from '../../../../../src/plugins/kibana_utils/public'; // eslint-disable-line import/order // @ts-ignore Untyped Kibana Lib import { formatMsg } from 'ui/notify/lib/format_msg'; // eslint-disable-line import/order +// @ts-ignore Untyped Kibana Lib +import { QueryString } from 'ui/utils/query_string'; // eslint-disable-line import/order const shimCoreSetup = { ...npSetup.core, @@ -30,6 +32,7 @@ const shimStartPlugins: CanvasStartDeps = { absoluteToParsedUrl, // ToDo: Copy directly into canvas formatMsg, + QueryString, // ToDo: Remove in favor of core.application.register setRootController: chrome.setRootController, storage: Storage, diff --git a/x-pack/legacy/plugins/canvas/public/plugin.tsx b/x-pack/legacy/plugins/canvas/public/plugin.tsx index 9828845d9ffa9..155eef99632a0 100644 --- a/x-pack/legacy/plugins/canvas/public/plugin.tsx +++ b/x-pack/legacy/plugins/canvas/public/plugin.tsx @@ -39,6 +39,7 @@ export interface CanvasStartDeps { __LEGACY: { absoluteToParsedUrl: (url: string, basePath: string) => any; formatMsg: any; + QueryString: any; setRootController: Chrome['setRootController']; storage: typeof Storage; trackSubUrlForApp: Chrome['trackSubUrlForApp']; diff --git a/x-pack/legacy/plugins/ml/public/application/components/field_type_icon/_field_type_icon.scss b/x-pack/legacy/plugins/ml/public/application/components/field_type_icon/_field_type_icon.scss index 864df28f2c055..741974c56987e 100644 --- a/x-pack/legacy/plugins/ml/public/application/components/field_type_icon/_field_type_icon.scss +++ b/x-pack/legacy/plugins/ml/public/application/components/field_type_icon/_field_type_icon.scss @@ -7,12 +7,16 @@ $icon-size: 20px; border-radius: 4px; width: $icon-size; height: $icon-size; - line-height: $icon-size;; + line-height: $icon-size; text-align: center; + position: relative; .field-type-icon { padding: 0; - display: inline !important; - vertical-align: initial; + display: inline-block !important; + position: absolute; + top: 50%; + left: 50%; + transform: translate(-50%, -50%); } } diff --git a/x-pack/legacy/plugins/ml/public/application/datavisualizer/file_based/components/fields_stats/_field_stats_card.scss b/x-pack/legacy/plugins/ml/public/application/datavisualizer/file_based/components/fields_stats/_field_stats_card.scss index 2702817a55749..48aab16d85be6 100644 --- a/x-pack/legacy/plugins/ml/public/application/datavisualizer/file_based/components/fields_stats/_field_stats_card.scss +++ b/x-pack/legacy/plugins/ml/public/application/datavisualizer/file_based/components/fields_stats/_field_stats_card.scss @@ -17,7 +17,7 @@ border-color: $euiColorVis5; .field-type-icon-container { - background-color: rgba($euiColorVis5, 0.5); + background-color: rgba($euiColorVis5, 0.2); } } @@ -26,7 +26,7 @@ border-color: $euiColorVis7; .field-type-icon-container { - background-color: rgba($euiColorVis7, 0.5); + background-color: rgba($euiColorVis7, 0.2); } } @@ -35,7 +35,7 @@ border-color: $euiColorVis2; .field-type-icon-container { - background-color: rgba($euiColorVis2, 0.5); + background-color: rgba($euiColorVis2, 0.2); } } @@ -44,7 +44,7 @@ border-color: $euiColorVis8; .field-type-icon-container { - background-color: rgba($euiColorVis8, 0.5); + background-color: rgba($euiColorVis8, 0.2); } } @@ -53,7 +53,7 @@ border-color: $euiColorVis3; .field-type-icon-container { - background-color: rgba($euiColorVis3, 0.5); + background-color: rgba($euiColorVis3, 0.2); } } @@ -62,7 +62,7 @@ border-color: $euiColorVis0; .field-type-icon-container { - background-color: rgba($euiColorVis0, 0.5); + background-color: rgba($euiColorVis0, 0.2); } } @@ -71,7 +71,7 @@ border-color: $euiColorVis1; .field-type-icon-container { - background-color: rgba($euiColorVis1, 0.5); + background-color: rgba($euiColorVis1, 0.2); } } @@ -80,7 +80,7 @@ border-color: $euiColorVis9; .field-type-icon-container { - background-color: rgba($euiColorVis9, 0.5); + background-color: rgba($euiColorVis9, 0.2); } } @@ -90,7 +90,7 @@ border-color: $euiColorVis6; .field-type-icon-container { - background-color: rgba($euiColorVis6, 0.5); + background-color: rgba($euiColorVis6, 0.2); } } diff --git a/x-pack/legacy/plugins/ml/public/application/datavisualizer/file_based/components/fields_stats/fields_stats.js b/x-pack/legacy/plugins/ml/public/application/datavisualizer/file_based/components/fields_stats/fields_stats.js index 29051a45d719f..5dfae43f223b1 100644 --- a/x-pack/legacy/plugins/ml/public/application/datavisualizer/file_based/components/fields_stats/fields_stats.js +++ b/x-pack/legacy/plugins/ml/public/application/datavisualizer/file_based/components/fields_stats/fields_stats.js @@ -32,7 +32,7 @@ export class FieldsStats extends Component {
{this.state.fields.map(f => ( - + ))} diff --git a/x-pack/legacy/plugins/ml/public/application/datavisualizer/index_based/components/field_data_card/_field_data_card.scss b/x-pack/legacy/plugins/ml/public/application/datavisualizer/index_based/components/field_data_card/_field_data_card.scss index d517be0a9358d..6790b947f6f59 100644 --- a/x-pack/legacy/plugins/ml/public/application/datavisualizer/index_based/components/field_data_card/_field_data_card.scss +++ b/x-pack/legacy/plugins/ml/public/application/datavisualizer/index_based/components/field_data_card/_field_data_card.scss @@ -9,7 +9,7 @@ border-color: $euiColorVis5; .field-type-icon-container { - background-color: rgba($euiColorVis5, 0.5); + background-color: rgba($euiColorVis5, 0.2); } } @@ -18,7 +18,7 @@ border-color: $euiColorVis7; .field-type-icon-container { - background-color: rgba($euiColorVis7, 0.5); + background-color: rgba($euiColorVis7, 0.2); } } @@ -27,7 +27,7 @@ border-color: $euiColorVis2; .field-type-icon-container { - background-color: rgba($euiColorVis2, 0.5); + background-color: rgba($euiColorVis2, 0.2); } } @@ -36,7 +36,7 @@ border-color: $euiColorVis8; .field-type-icon-container { - background-color: rgba($euiColorVis8, 0.5); + background-color: rgba($euiColorVis8, 0.2); } } @@ -45,7 +45,7 @@ border-color: $euiColorVis3; .field-type-icon-container { - background-color: rgba($euiColorVis3, 0.5); + background-color: rgba($euiColorVis3, 0.2); } } @@ -54,7 +54,7 @@ border-color: $euiColorVis0; .field-type-icon-container { - background-color: rgba($euiColorVis0, 0.5); + background-color: rgba($euiColorVis0, 0.2); } } @@ -63,7 +63,7 @@ border-color: $euiColorVis1; .field-type-icon-container { - background-color: rgba($euiColorVis1, 0.5); + background-color: rgba($euiColorVis1, 0.2); } } @@ -72,7 +72,7 @@ border-color: $euiColorVis9; .field-type-icon-container { - background-color: rgba($euiColorVis9, 0.5); + background-color: rgba($euiColorVis9, 0.2); } } @@ -82,7 +82,7 @@ border-color: $euiColorVis6; .field-type-icon-container { - background-color: rgba($euiColorVis6, 0.5); + background-color: rgba($euiColorVis6, 0.2); } } diff --git a/x-pack/legacy/plugins/ml/public/application/util/url_state.test.ts b/x-pack/legacy/plugins/ml/public/application/util/url_state.test.ts new file mode 100644 index 0000000000000..91bbef2dba6c2 --- /dev/null +++ b/x-pack/legacy/plugins/ml/public/application/util/url_state.test.ts @@ -0,0 +1,81 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { renderHook, act } from '@testing-library/react-hooks'; +import { getUrlState, useUrlState } from './url_state'; + +const mockHistoryPush = jest.fn(); + +jest.mock('react-router-dom', () => ({ + useHistory: () => ({ + push: mockHistoryPush, + }), + useLocation: () => ({ + search: + "?_a=(mlExplorerFilter:(),mlExplorerSwimlane:(viewByFieldName:action),query:(query_string:(analyze_wildcard:!t,query:'*')))&_g=(ml:(jobIds:!(dec-2)),refreshInterval:(display:Off,pause:!f,value:0),time:(from:'2019-01-01T00:03:40.000Z',mode:absolute,to:'2019-08-30T11:55:07.000Z'))&savedSearchId=571aaf70-4c88-11e8-b3d7-01146121b73d", + }), +})); + +describe('getUrlState', () => { + test('properly decode url with _g and _a', () => { + expect( + getUrlState( + "?_a=(mlExplorerFilter:(),mlExplorerSwimlane:(viewByFieldName:action),query:(query_string:(analyze_wildcard:!t,query:'*')))&_g=(ml:(jobIds:!(dec-2)),refreshInterval:(display:Off,pause:!f,value:0),time:(from:'2019-01-01T00:03:40.000Z',mode:absolute,to:'2019-08-30T11:55:07.000Z'))&savedSearchId=571aaf70-4c88-11e8-b3d7-01146121b73d" + ) + ).toEqual({ + _a: { + mlExplorerFilter: {}, + mlExplorerSwimlane: { + viewByFieldName: 'action', + }, + query: { + query_string: { + analyze_wildcard: true, + query: '*', + }, + }, + }, + _g: { + ml: { + jobIds: ['dec-2'], + }, + refreshInterval: { + display: 'Off', + pause: false, + value: 0, + }, + time: { + from: '2019-01-01T00:03:40.000Z', + mode: 'absolute', + to: '2019-08-30T11:55:07.000Z', + }, + }, + savedSearchId: '571aaf70-4c88-11e8-b3d7-01146121b73d', + }); + }); +}); + +describe('useUrlState', () => { + beforeEach(() => { + mockHistoryPush.mockClear(); + }); + + test('pushes a properly encoded search string to history', () => { + const { result } = renderHook(() => useUrlState('_a')); + + act(() => { + const [, setUrlState] = result.current; + setUrlState({ + query: {}, + }); + }); + + expect(mockHistoryPush).toHaveBeenCalledWith({ + search: + '_a=%28mlExplorerFilter%3A%28%29%2CmlExplorerSwimlane%3A%28viewByFieldName%3Aaction%29%2Cquery%3A%28%29%29&_g=%28ml%3A%28jobIds%3A%21%28dec-2%29%29%2CrefreshInterval%3A%28display%3AOff%2Cpause%3A%21f%2Cvalue%3A0%29%2Ctime%3A%28from%3A%272019-01-01T00%3A03%3A40.000Z%27%2Cmode%3Aabsolute%2Cto%3A%272019-08-30T11%3A55%3A07.000Z%27%29%29&savedSearchId=%27571aaf70-4c88-11e8-b3d7-01146121b73d%27', + }); + }); +}); diff --git a/x-pack/legacy/plugins/ml/public/application/util/url_state.ts b/x-pack/legacy/plugins/ml/public/application/util/url_state.ts index 4402155815a5b..546944b1a33bf 100644 --- a/x-pack/legacy/plugins/ml/public/application/util/url_state.ts +++ b/x-pack/legacy/plugins/ml/public/application/util/url_state.ts @@ -18,13 +18,18 @@ import { getNestedProperty } from './object_utils'; export type SetUrlState = (attribute: string | Dictionary, value?: any) => void; export type UrlState = [Dictionary, SetUrlState]; -function getUrlState(search: string) { +const decodedParams = new Set(['_a', '_g']); +export function getUrlState(search: string): Dictionary { const urlState: Dictionary = {}; const parsedQueryString = queryString.parse(search); try { Object.keys(parsedQueryString).forEach(a => { - urlState[a] = decode(parsedQueryString[a]) as Dictionary; + if (decodedParams.has(a)) { + urlState[a] = decode(parsedQueryString[a]) as Dictionary; + } else { + urlState[a] = parsedQueryString[a]; + } }); } catch (error) { // eslint-disable-next-line no-console diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_internet_explorer.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_internet_explorer.json deleted file mode 100644 index bb9d8c60040f6..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_internet_explorer.json +++ /dev/null @@ -1,68 +0,0 @@ -{ - "description": "Command shell started by Internet Explorer", - "enabled": false, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "process.name", - "negate": false, - "params": { - "query": "cmd.exe" - }, - "type": "phrase", - "value": "cmd.exe" - }, - "query": { - "match": { - "process.name": { - "query": "cmd.exe", - "type": "phrase" - } - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "event.action", - "negate": false, - "params": { - "query": "Process Create (rule: ProcessCreate)" - }, - "type": "phrase", - "value": "Process Create (rule: ProcessCreate)" - }, - "query": { - "match": { - "event.action": { - "query": "Process Create (rule: ProcessCreate)", - "type": "phrase" - } - } - } - } - ], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Command shell started by Internet Explorer", - "query": "process.parent.name:iexplore.exe", - "risk_score": 50, - "rule_id": "a0b554d2-85ed-4998-ada3-4ca58b508b35", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_powershell.json deleted file mode 100644 index d9820f90c55ee..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_powershell.json +++ /dev/null @@ -1,68 +0,0 @@ -{ - "description": "Command shell started by Powershell", - "enabled": false, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "process.name", - "negate": false, - "params": { - "query": "cmd.exe" - }, - "type": "phrase", - "value": "cmd.exe" - }, - "query": { - "match": { - "process.name": { - "query": "cmd.exe", - "type": "phrase" - } - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "event.action", - "negate": false, - "params": { - "query": "Process Create (rule: ProcessCreate)" - }, - "type": "phrase", - "value": "Process Create (rule: ProcessCreate)" - }, - "query": { - "match": { - "event.action": { - "query": "Process Create (rule: ProcessCreate)", - "type": "phrase" - } - } - } - } - ], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Command shell started by Powershell", - "query": "process.parent.name:powershell.exe", - "risk_score": 50, - "rule_id": "ab4bbfa5-4127-40bf-852f-bdc6afdb2a06", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_svchost.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_svchost.json deleted file mode 100644 index a11f69fc3048f..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_svchost.json +++ /dev/null @@ -1,68 +0,0 @@ -{ - "description": "Command shell started by Svchost", - "enabled": false, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "process.name", - "negate": false, - "params": { - "query": "cmd.exe" - }, - "type": "phrase", - "value": "cmd.exe" - }, - "query": { - "match": { - "process.name": { - "query": "cmd.exe", - "type": "phrase" - } - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "event.action", - "negate": false, - "params": { - "query": "Process Create (rule: ProcessCreate)" - }, - "type": "phrase", - "value": "Process Create (rule: ProcessCreate)" - }, - "query": { - "match": { - "event.action": { - "query": "Process Create (rule: ProcessCreate)", - "type": "phrase" - } - } - } - } - ], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Command shell started by Svchost", - "query": "process.parent.name:svchost.exe", - "risk_score": 50, - "rule_id": "2e4f8a5e-ce68-44e0-9243-1f57d44c4f30", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_detect_large_outbound_icmp_packets.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_detect_large_outbound_icmp_packets.json deleted file mode 100644 index faa1c97e4bada..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_detect_large_outbound_icmp_packets.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Network - Detect Large Outbound ICMP Packets", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Network - Detect Large Outbound ICMP Packets", - "query": "network.transport:icmp and network.bytes>1000 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "risk_score": 50, - "rule_id": "4fce2a7e-0e11-4f17-bae3-8873c5ae62be", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_detect_long_dns_txt_record_response.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_detect_long_dns_txt_record_response.json deleted file mode 100644 index f034e4999107f..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_detect_long_dns_txt_record_response.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Network - Detect Long DNS TXT Record Response", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Network - Detect Long DNS TXT Record Response", - "query": "network.protocol:dns and server.bytes>100 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16 and not destination.ip:169.254.169.254 and not destination.ip:127.0.0.53", - "risk_score": 50, - "rule_id": "cc28f445-318e-4850-8b0d-5ad53eaded74", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_protocols_passing_authentication_in_cleartext.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_protocols_passing_authentication_in_cleartext.json deleted file mode 100644 index d1b5f6be75040..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_protocols_passing_authentication_in_cleartext.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Network - Protocols passing authentication in cleartext", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Network - Protocols passing authentication in cleartext", - "query": "destination.port:(21 or 23 or 110 or 143) and network.transport:tcp", - "risk_score": 50, - "rule_id": "31f32b3c-415a-4a18-b60f-5748a337246b", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_child_processes_of_spoolsvexe.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_child_processes_of_spoolsvexe.json deleted file mode 100644 index 60d5ffe918585..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_child_processes_of_spoolsvexe.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Windows - Child Processes of Spoolsv.exe", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Windows - Child Processes of Spoolsv.exe", - "query": "process.parent.name:spoolsv.exe and not process.name:regsvr32.exe ", - "risk_score": 50, - "rule_id": "dcc45d35-f42e-4f97-81e8-90b0597ea0d1", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_new_local_admin_account.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_new_local_admin_account.json deleted file mode 100644 index ca27234b0d8ae..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_new_local_admin_account.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Windows - Detect New Local Admin account", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Windows - Detect New Local Admin account", - "query": "event.code:(4720 or 4732) and winlog.event_data.TargetUserName:Administrators", - "risk_score": 50, - "rule_id": "461db51b-b1a1-49de-ac63-e1bcbd445602", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_psexec_with_accepteula_flag.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_psexec_with_accepteula_flag.json deleted file mode 100644 index 25dcd8234e092..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_psexec_with_accepteula_flag.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Windows - Detect PsExec With accepteula Flag", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Windows - Detect PsExec With accepteula Flag", - "query": "process.name:PsExec.exe and process.args:\"-accepteula\"", - "risk_score": 50, - "rule_id": "304b0e0c-bd06-46f8-aeda-2e719ae434d1", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_use_of_cmdexe_to_launch_script_interpreters.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_use_of_cmdexe_to_launch_script_interpreters.json deleted file mode 100644 index 70d06ca9a4777..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_use_of_cmdexe_to_launch_script_interpreters.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Windows - Detect Use of cmd.exe to Launch Script Interpreters", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Windows - Detect Use of cmd.exe to Launch Script Interpreters", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"wscript.exe\" or \"cscript.exe\") and process.parent.name:\"cmd.exe\"", - "risk_score": 50, - "rule_id": "b17c215e-8fa5-4087-b8d1-87761a90d710", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_new_external_device.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_new_external_device.json deleted file mode 100644 index 9dbc8d7cbb7ed..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_new_external_device.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Windows - New External Device Attached", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Windows - New External Device Attached", - "query": "event.code:6416", - "risk_score": 50, - "rule_id": "c0747553-5763-5d85-cd97-898f2daa2bde", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_processes_created_by_netsh.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_processes_created_by_netsh.json deleted file mode 100644 index 3f4e1a6243a96..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_processes_created_by_netsh.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Windows - Processes created by netsh", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Windows - Processes created by netsh", - "query": "process.parent.name:netsh.exe", - "risk_score": 50, - "rule_id": "e312dd9e-4760-4a71-a241-9b9a835a51c4", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_processes_launching_netsh.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_processes_launching_netsh.json deleted file mode 100644 index 34d08d7596e11..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_processes_launching_netsh.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Windows - Processes launching netsh", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Windows - Processes launching netsh", - "query": "process.name:netsh.exe and event.action:\"Process Create (rule: ProcessCreate)\" ", - "risk_score": 50, - "rule_id": "3b8db8aa-5734-405e-8dda-703129078a35", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_windows_event_log_cleared.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_windows_event_log_cleared.json deleted file mode 100644 index bd82247203f00..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_windows_event_log_cleared.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Windows - Windows Event Log Cleared", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Windows - Windows Event Log Cleared", - "query": "event.code:(1102 or 1100)", - "risk_score": 50, - "rule_id": "b94b5177-ca7f-468a-9a1d-aef39c30a3ae", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts index 8a353e4b2b301..6ef81addd846e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts @@ -10,342 +10,306 @@ import rule1 from './403_response_to_a_post.json'; import rule2 from './405_response_method_not_allowed.json'; import rule3 from './500_response_on_admin_page.json'; -import rule4 from './command_shell_started_by_internet_explorer.json'; -import rule5 from './command_shell_started_by_powershell.json'; -import rule6 from './command_shell_started_by_svchost.json'; -import rule7 from './ece_network_detect_large_outbound_icmp_packets.json'; -import rule8 from './ece_network_detect_long_dns_txt_record_response.json'; -import rule9 from './ece_network_protocols_passing_authentication_in_cleartext.json'; -import rule10 from './ece_windows_child_processes_of_spoolsvexe.json'; -import rule11 from './ece_windows_detect_new_local_admin_account.json'; -import rule12 from './ece_windows_detect_psexec_with_accepteula_flag.json'; -import rule13 from './ece_windows_detect_use_of_cmdexe_to_launch_script_interpreters.json'; -import rule14 from './ece_windows_new_external_device.json'; -import rule15 from './ece_windows_processes_created_by_netsh.json'; -import rule16 from './ece_windows_processes_launching_netsh.json'; -import rule17 from './ece_windows_windows_event_log_cleared.json'; -import rule18 from './eql_adding_the_hidden_file_attribute_with_via_attribexe.json'; -import rule19 from './eql_adobe_hijack_persistence.json'; -import rule20 from './eql_audio_capture_via_powershell.json'; -import rule21 from './eql_audio_capture_via_soundrecorder.json'; -import rule22 from './eql_bypass_uac_event_viewer.json'; -import rule23 from './eql_bypass_uac_via_cmstp.json'; -import rule24 from './eql_bypass_uac_via_sdclt.json'; -import rule25 from './eql_clearing_windows_event_logs.json'; -import rule26 from './eql_delete_volume_usn_journal_with_fsutil.json'; -import rule27 from './eql_deleting_backup_catalogs_with_wbadmin.json'; -import rule28 from './eql_direct_outbound_smb_connection.json'; -import rule29 from './eql_disable_windows_firewall_rules_with_netsh.json'; -import rule30 from './eql_dll_search_order_hijack.json'; -import rule31 from './eql_encoding_or_decoding_files_via_certutil.json'; -import rule32 from './eql_local_scheduled_task_commands.json'; -import rule33 from './eql_local_service_commands.json'; -import rule34 from './eql_modification_of_boot_configuration.json'; -import rule35 from './eql_msbuild_making_network_connections.json'; -import rule36 from './eql_mshta_making_network_connections.json'; -import rule37 from './eql_msxsl_making_network_connections.json'; -import rule38 from './eql_psexec_lateral_movement_command.json'; -import rule39 from './eql_suspicious_ms_office_child_process.json'; -import rule40 from './eql_suspicious_ms_outlook_child_process.json'; -import rule41 from './eql_suspicious_pdf_reader_child_process.json'; -import rule42 from './eql_system_shells_via_services.json'; -import rule43 from './eql_unusual_network_connection_via_rundll32.json'; -import rule44 from './eql_unusual_parentchild_relationship.json'; -import rule45 from './eql_unusual_process_network_connection.json'; -import rule46 from './eql_user_account_creation.json'; -import rule47 from './eql_user_added_to_administrator_group.json'; -import rule48 from './eql_volume_shadow_copy_deletion_via_vssadmin.json'; -import rule49 from './eql_volume_shadow_copy_deletion_via_wmic.json'; -import rule50 from './eql_windows_script_executing_powershell.json'; -import rule51 from './eql_wmic_command_lateral_movement.json'; -import rule52 from './linux_hping_activity.json'; -import rule53 from './linux_iodine_activity.json'; -import rule54 from './linux_java_process_connecting_to_the_internet.json'; -import rule55 from './linux_kernel_module_activity.json'; -import rule56 from './linux_ldso_process_activity.json'; -import rule57 from './linux_lzop_activity.json'; -import rule58 from './linux_lzop_activity_possible_julianrunnels.json'; -import rule59 from './linux_mknod_activity.json'; -import rule60 from './linux_netcat_network_connection.json'; -import rule61 from './linux_network_anomalous_process_using_https_ports.json'; -import rule62 from './linux_nmap_activity.json'; -import rule63 from './linux_nping_activity.json'; -import rule64 from './linux_process_started_in_temp_directory.json'; -import rule65 from './linux_ptrace_activity.json'; -import rule66 from './linux_rawshark_activity.json'; -import rule67 from './linux_shell_activity_by_web_server.json'; -import rule68 from './linux_socat_activity.json'; -import rule69 from './linux_ssh_forwarding.json'; -import rule70 from './linux_strace_activity.json'; -import rule71 from './linux_tcpdump_activity.json'; -import rule72 from './linux_unusual_shell_activity.json'; -import rule73 from './linux_web_download.json'; -import rule74 from './linux_whoami_commmand.json'; -import rule75 from './network_dns_directly_to_the_internet.json'; -import rule76 from './network_ftp_file_transfer_protocol_activity_to_the_internet.json'; -import rule77 from './network_irc_internet_relay_chat_protocol_activity_to_the_internet.json'; -import rule78 from './network_nat_traversal_port_activity.json'; -import rule79 from './network_port_26_activity.json'; -import rule80 from './network_port_8000_activity.json'; -import rule81 from './network_port_8000_activity_to_the_internet.json'; -import rule82 from './network_pptp_point_to_point_tunneling_protocol_activity.json'; -import rule83 from './network_proxy_port_activity_to_the_internet.json'; -import rule84 from './network_rdp_remote_desktop_protocol_from_the_internet.json'; -import rule85 from './network_rdp_remote_desktop_protocol_to_the_internet.json'; -import rule86 from './network_rpc_remote_procedure_call_from_the_internet.json'; -import rule87 from './network_rpc_remote_procedure_call_to_the_internet.json'; -import rule88 from './network_smb_windows_file_sharing_activity_to_the_internet.json'; -import rule89 from './network_smtp_to_the_internet.json'; -import rule90 from './network_sql_server_port_activity_to_the_internet.json'; -import rule91 from './network_ssh_secure_shell_from_the_internet.json'; -import rule92 from './network_ssh_secure_shell_to_the_internet.json'; -import rule93 from './network_telnet_port_activity.json'; -import rule94 from './network_tor_activity_to_the_internet.json'; -import rule95 from './network_vnc_virtual_network_computing_from_the_internet.json'; -import rule96 from './network_vnc_virtual_network_computing_to_the_internet.json'; -import rule97 from './null_user_agent.json'; -import rule98 from './powershell_network_connection.json'; -import rule99 from './process_execution_via_wmi.json'; -import rule100 from './process_started_by_acrobat_reader_possible_payload.json'; -import rule101 from './process_started_by_ms_office_program_possible_payload.json'; -import rule102 from './process_started_by_windows_defender.json'; -import rule103 from './psexec_activity.json'; -import rule104 from './search_windows_10.json'; -import rule105 from './splunk_child_processes_of_spoolsvexe.json'; -import rule106 from './splunk_detect_large_outbound_icmp_packets.json'; -import rule107 from './splunk_detect_long_dns_txt_record_response.json'; -import rule108 from './splunk_detect_new_local_admin_account.json'; -import rule109 from './splunk_detect_psexec_with_accepteula_flag.json'; -import rule110 from './splunk_detect_use_of_cmdexe_to_launch_script_interpreters.json'; -import rule111 from './splunk_processes_created_by_netsh.json'; -import rule112 from './splunk_processes_launching_netsh.json'; -import rule113 from './splunk_protocols_passing_authentication_in_cleartext.json'; -import rule114 from './splunk_windows_event_log_cleared.json'; -import rule115 from './sqlmap_user_agent.json'; -import rule116 from './suricata_base64_encoded_invokecommand_powershell_execution.json'; -import rule117 from './suricata_base64_encoded_newobject_powershell_execution.json'; -import rule118 from './suricata_base64_encoded_startprocess_powershell_execution.json'; -import rule119 from './suricata_category_a_suspicious_string_was_detected.json'; -import rule120 from './suricata_category_attempted_administrator_privilege_gain.json'; -import rule121 from './suricata_category_attempted_denial_of_service.json'; -import rule122 from './suricata_category_attempted_information_leak.json'; -import rule123 from './suricata_category_attempted_login_with_suspicious_username.json'; -import rule124 from './suricata_category_attempted_user_privilege_gain.json'; -import rule125 from './suricata_category_client_using_unusual_port.json'; -import rule126 from './suricata_category_crypto_currency_mining_activity.json'; -import rule127 from './suricata_category_decode_of_an_rpc_query.json'; -import rule128 from './suricata_category_default_username_and_password_login_attempt.json'; -import rule129 from './suricata_category_denial_of_service.json'; -import rule130 from './suricata_category_denial_of_service_attack.json'; -import rule131 from './suricata_category_executable_code_was_detected.json'; -import rule132 from './suricata_category_exploit_kit_activity.json'; -import rule133 from './suricata_category_external_ip_address_retrieval.json'; -import rule134 from './suricata_category_generic_icmp_event.json'; -import rule135 from './suricata_category_generic_protocol_command_decode.json'; -import rule136 from './suricata_category_information_leak.json'; -import rule137 from './suricata_category_large_scale_information_leak.json'; -import rule138 from './suricata_category_malware_command_and_control_activity.json'; -import rule139 from './suricata_category_misc_activity.json'; -import rule140 from './suricata_category_misc_attack.json'; -import rule141 from './suricata_category_network_scan_detected.json'; -import rule142 from './suricata_category_network_trojan_detected.json'; -import rule143 from './suricata_category_nonstandard_protocol_or_event.json'; -import rule144 from './suricata_category_not_suspicious_traffic.json'; -import rule145 from './suricata_category_observed_c2_domain.json'; -import rule146 from './suricata_category_possible_social_engineering_attempted.json'; -import rule147 from './suricata_category_possibly_unwanted_program.json'; -import rule148 from './suricata_category_potential_corporate_privacy_violation.json'; -import rule149 from './suricata_category_potentially_bad_traffic.json'; -import rule150 from './suricata_category_potentially_vulnerable_web_application_access.json'; -import rule151 from './suricata_category_successful_administrator_privilege_gain.json'; -import rule152 from './suricata_category_successful_credential_theft.json'; -import rule153 from './suricata_category_successful_user_privilege_gain.json'; -import rule154 from './suricata_category_suspicious_filename_detected.json'; -import rule155 from './suricata_category_system_call_detected.json'; -import rule156 from './suricata_category_targeted_malicious_activity.json'; -import rule157 from './suricata_category_tcp_connection_detected.json'; -import rule158 from './suricata_category_unknown_traffic.json'; -import rule159 from './suricata_category_unsuccessful_user_privilege_gain.json'; -import rule160 from './suricata_category_web_application_attack.json'; -import rule161 from './suricata_cobaltstrike_artifact_in_an_dns_request.json'; -import rule162 from './suricata_commonly_abused_dns_domain_detected.json'; -import rule163 from './suricata_directory_reversal_characters_in_an_http_request.json'; -import rule164 from './suricata_directory_traversal_characters_in_an_http_request.json'; -import rule165 from './suricata_directory_traversal_characters_in_http_response.json'; -import rule166 from './suricata_directory_traversal_in_downloaded_zip_file.json'; -import rule167 from './suricata_dns_traffic_on_unusual_tcp_port.json'; -import rule168 from './suricata_dns_traffic_on_unusual_udp_port.json'; -import rule169 from './suricata_double_encoded_characters_in_a_uri.json'; -import rule170 from './suricata_double_encoded_characters_in_an_http_post.json'; -import rule171 from './suricata_double_encoded_characters_in_http_request.json'; -import rule172 from './suricata_eval_php_function_in_an_http_request.json'; -import rule173 from './suricata_exploit_cve_2018_1000861.json'; -import rule174 from './suricata_exploit_cve_2019_0227.json'; -import rule175 from './suricata_exploit_cve_2019_0232.json'; -import rule176 from './suricata_exploit_cve_2019_0604.json'; -import rule177 from './suricata_exploit_cve_2019_0708.json'; -import rule178 from './suricata_exploit_cve_2019_0752.json'; -import rule179 from './suricata_exploit_cve_2019_1003000.json'; -import rule180 from './suricata_exploit_cve_2019_10149.json'; -import rule181 from './suricata_exploit_cve_2019_11043.json'; -import rule182 from './suricata_exploit_cve_2019_11510.json'; -import rule183 from './suricata_exploit_cve_2019_11580.json'; -import rule184 from './suricata_exploit_cve_2019_11581.json'; -import rule185 from './suricata_exploit_cve_2019_13450.json'; -import rule186 from './suricata_exploit_cve_2019_13505.json'; -import rule187 from './suricata_exploit_cve_2019_15107.json'; -import rule188 from './suricata_exploit_cve_2019_15846.json'; -import rule189 from './suricata_exploit_cve_2019_16072.json'; -import rule190 from './suricata_exploit_cve_2019_1652.json'; -import rule191 from './suricata_exploit_cve_2019_16662.json'; -import rule192 from './suricata_exploit_cve_2019_16759.json'; -import rule193 from './suricata_exploit_cve_2019_16928.json'; -import rule194 from './suricata_exploit_cve_2019_17270.json'; -import rule195 from './suricata_exploit_cve_2019_1821.json'; -import rule196 from './suricata_exploit_cve_2019_19781.json'; -import rule197 from './suricata_exploit_cve_2019_2618.json'; -import rule198 from './suricata_exploit_cve_2019_2725.json'; -import rule199 from './suricata_exploit_cve_2019_3396.json'; -import rule200 from './suricata_exploit_cve_2019_3929.json'; -import rule201 from './suricata_exploit_cve_2019_5533.json'; -import rule202 from './suricata_exploit_cve_2019_6340.json'; -import rule203 from './suricata_exploit_cve_2019_7256.json'; -import rule204 from './suricata_exploit_cve_2019_9978.json'; -import rule205 from './suricata_ftp_traffic_on_unusual_port_internet_destination.json'; -import rule206 from './suricata_http_traffic_on_unusual_port_internet_destination.json'; -import rule207 from './suricata_imap_traffic_on_unusual_port_internet_destination.json'; -import rule208 from './suricata_lazagne_artifact_in_an_http_post.json'; -import rule209 from './suricata_mimikatz_artifacts_in_an_http_post.json'; -import rule210 from './suricata_mimikatz_string_detected_in_http_response.json'; -import rule211 from './suricata_nondns_traffic_on_tcp_port_53.json'; -import rule212 from './suricata_nondns_traffic_on_udp_port_53.json'; -import rule213 from './suricata_nonftp_traffic_on_port_21.json'; -import rule214 from './suricata_nonhttp_traffic_on_tcp_port_80.json'; -import rule215 from './suricata_nonimap_traffic_on_port_1443_imap.json'; -import rule216 from './suricata_nonsmb_traffic_on_tcp_port_139_smb.json'; -import rule217 from './suricata_nonssh_traffic_on_port_22.json'; -import rule218 from './suricata_nontls_on_tls_port.json'; -import rule219 from './suricata_possible_cobalt_strike_malleable_c2_null_response.json'; -import rule220 from './suricata_possible_sql_injection_sql_commands_in_http_transactions.json'; -import rule221 from './suricata_rpc_traffic_on_http_ports.json'; -import rule222 from './suricata_serialized_php_detected.json'; -import rule223 from './suricata_shell_exec_php_function_in_an_http_post.json'; -import rule224 from './suricata_ssh_traffic_not_on_port_22_internet_destination.json'; -import rule225 from './suricata_tls_traffic_on_unusual_port_internet_destination.json'; -import rule226 from './suricata_windows_executable_served_by_jpeg_web_content.json'; -import rule227 from './suspicious_process_started_by_a_script.json'; -import rule228 from './windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json'; -import rule229 from './windows_burp_ce_activity.json'; -import rule230 from './windows_certutil_connecting_to_the_internet.json'; -import rule231 from './windows_command_prompt_connecting_to_the_internet.json'; -import rule232 from './windows_command_shell_started_by_internet_explorer.json'; -import rule233 from './windows_command_shell_started_by_powershell.json'; -import rule234 from './windows_command_shell_started_by_svchost.json'; -import rule235 from './windows_credential_dumping_commands.json'; -import rule236 from './windows_credential_dumping_via_imageload.json'; -import rule237 from './windows_credential_dumping_via_registry_save.json'; -import rule238 from './windows_data_compression_using_powershell.json'; -import rule239 from './windows_defense_evasion_decoding_using_certutil.json'; -import rule240 from './windows_defense_evasion_or_persistence_via_hidden_files.json'; -import rule241 from './windows_defense_evasion_via_filter_manager.json'; -import rule242 from './windows_defense_evasion_via_windows_event_log_tools.json'; -import rule243 from './windows_execution_via_compiled_html_file.json'; -import rule244 from './windows_execution_via_connection_manager.json'; -import rule245 from './windows_execution_via_microsoft_html_application_hta.json'; -import rule246 from './windows_execution_via_net_com_assemblies.json'; -import rule247 from './windows_execution_via_regsvr32.json'; -import rule248 from './windows_execution_via_trusted_developer_utilities.json'; -import rule249 from './windows_html_help_executable_program_connecting_to_the_internet.json'; -import rule250 from './windows_image_load_from_a_temp_directory.json'; -import rule251 from './windows_indirect_command_execution.json'; -import rule252 from './windows_iodine_activity.json'; -import rule253 from './windows_management_instrumentation_wmi_execution.json'; -import rule254 from './windows_microsoft_html_application_hta_connecting_to_the_internet.json'; -import rule255 from './windows_mimikatz_activity.json'; -import rule256 from './windows_misc_lolbin_connecting_to_the_internet.json'; -import rule257 from './windows_net_command_activity_by_the_system_account.json'; -import rule258 from './windows_net_user_command_activity.json'; -import rule259 from './windows_netcat_activity.json'; -import rule260 from './windows_netcat_network_activity.json'; -import rule261 from './windows_network_anomalous_windows_process_using_https_ports.json'; -import rule262 from './windows_nmap_activity.json'; -import rule263 from './windows_nmap_scan_activity.json'; -import rule264 from './windows_payload_obfuscation_via_certutil.json'; -import rule265 from './windows_persistence_or_priv_escalation_via_hooking.json'; -import rule266 from './windows_persistence_via_application_shimming.json'; -import rule267 from './windows_persistence_via_bits_jobs.json'; -import rule268 from './windows_persistence_via_modification_of_existing_service.json'; -import rule269 from './windows_persistence_via_netshell_helper_dll.json'; -import rule270 from './windows_powershell_connecting_to_the_internet.json'; -import rule271 from './windows_priv_escalation_via_accessibility_features.json'; -import rule272 from './windows_process_discovery_via_tasklist_command.json'; -import rule273 from './windows_process_execution_via_wmi.json'; -import rule274 from './windows_process_started_by_acrobat_reader_possible_payload.json'; -import rule275 from './windows_process_started_by_ms_office_program_possible_payload.json'; -import rule276 from './windows_process_started_by_the_java_runtime.json'; -import rule277 from './windows_psexec_activity.json'; -import rule278 from './windows_register_server_program_connecting_to_the_internet.json'; -import rule279 from './windows_registry_query_local.json'; -import rule280 from './windows_registry_query_network.json'; -import rule281 from './windows_remote_management_execution.json'; -import rule282 from './windows_scheduled_task_activity.json'; -import rule283 from './windows_script_interpreter_connecting_to_the_internet.json'; -import rule284 from './windows_signed_binary_proxy_execution.json'; -import rule285 from './windows_signed_binary_proxy_execution_download.json'; -import rule286 from './windows_suspicious_process_started_by_a_script.json'; -import rule287 from './windows_whoami_command_activity.json'; -import rule288 from './windows_windump_activity.json'; -import rule289 from './windows_wireshark_activity.json'; -import rule290 from './windump_activity.json'; -import rule291 from './zeek_notice_capturelosstoo_much_loss.json'; -import rule292 from './zeek_notice_conncontent_gap.json'; -import rule293 from './zeek_notice_connretransmission_inconsistency.json'; -import rule294 from './zeek_notice_dnsexternal_name.json'; -import rule295 from './zeek_notice_ftpbruteforcing.json'; -import rule296 from './zeek_notice_ftpsite_exec_success.json'; -import rule297 from './zeek_notice_heartbleedssl_heartbeat_attack.json'; -import rule298 from './zeek_notice_heartbleedssl_heartbeat_attack_success.json'; -import rule299 from './zeek_notice_heartbleedssl_heartbeat_many_requests.json'; -import rule300 from './zeek_notice_heartbleedssl_heartbeat_odd_length.json'; -import rule301 from './zeek_notice_httpsql_injection_attacker.json'; -import rule302 from './zeek_notice_httpsql_injection_victim.json'; -import rule303 from './zeek_notice_intelnotice.json'; -import rule304 from './zeek_notice_noticetally.json'; -import rule305 from './zeek_notice_packetfiltercannot_bpf_shunt_conn.json'; -import rule306 from './zeek_notice_packetfiltercompile_failure.json'; -import rule307 from './zeek_notice_packetfilterdropped_packets.json'; -import rule308 from './zeek_notice_packetfilterinstall_failure.json'; -import rule309 from './zeek_notice_packetfilterno_more_conn_shunts_available.json'; -import rule310 from './zeek_notice_packetfiltertoo_long_to_compile_filter.json'; -import rule311 from './zeek_notice_protocoldetectorprotocol_found.json'; -import rule312 from './zeek_notice_protocoldetectorserver_found.json'; -import rule313 from './zeek_notice_scanaddress_scan.json'; -import rule314 from './zeek_notice_scanport_scan.json'; -import rule315 from './zeek_notice_signaturescount_signature.json'; -import rule316 from './zeek_notice_signaturesmultiple_sig_responders.json'; -import rule317 from './zeek_notice_signaturesmultiple_signatures.json'; -import rule318 from './zeek_notice_signaturessensitive_signature.json'; -import rule319 from './zeek_notice_signaturessignature_summary.json'; -import rule320 from './zeek_notice_smtpblocklist_blocked_host.json'; -import rule321 from './zeek_notice_smtpblocklist_error_message.json'; -import rule322 from './zeek_notice_smtpsuspicious_origination.json'; -import rule323 from './zeek_notice_softwaresoftware_version_change.json'; -import rule324 from './zeek_notice_softwarevulnerable_version.json'; -import rule325 from './zeek_notice_sshinteresting_hostname_login.json'; -import rule326 from './zeek_notice_sshlogin_by_password_guesser.json'; -import rule327 from './zeek_notice_sshpassword_guessing.json'; -import rule328 from './zeek_notice_sshwatched_country_login.json'; -import rule329 from './zeek_notice_sslcertificate_expired.json'; -import rule330 from './zeek_notice_sslcertificate_expires_soon.json'; -import rule331 from './zeek_notice_sslcertificate_not_valid_yet.json'; -import rule332 from './zeek_notice_sslinvalid_ocsp_response.json'; -import rule333 from './zeek_notice_sslinvalid_server_cert.json'; -import rule334 from './zeek_notice_sslold_version.json'; -import rule335 from './zeek_notice_sslweak_cipher.json'; -import rule336 from './zeek_notice_sslweak_key.json'; -import rule337 from './zeek_notice_teamcymrumalwarehashregistrymatch.json'; -import rule338 from './zeek_notice_traceroutedetected.json'; -import rule339 from './zeek_notice_weirdactivity.json'; +import rule4 from './eql_adding_the_hidden_file_attribute_with_via_attribexe.json'; +import rule5 from './eql_adobe_hijack_persistence.json'; +import rule6 from './eql_audio_capture_via_powershell.json'; +import rule7 from './eql_audio_capture_via_soundrecorder.json'; +import rule8 from './eql_bypass_uac_event_viewer.json'; +import rule9 from './eql_bypass_uac_via_cmstp.json'; +import rule10 from './eql_bypass_uac_via_sdclt.json'; +import rule11 from './eql_clearing_windows_event_logs.json'; +import rule12 from './eql_delete_volume_usn_journal_with_fsutil.json'; +import rule13 from './eql_deleting_backup_catalogs_with_wbadmin.json'; +import rule14 from './eql_direct_outbound_smb_connection.json'; +import rule15 from './eql_disable_windows_firewall_rules_with_netsh.json'; +import rule16 from './eql_dll_search_order_hijack.json'; +import rule17 from './eql_encoding_or_decoding_files_via_certutil.json'; +import rule18 from './eql_local_scheduled_task_commands.json'; +import rule19 from './eql_local_service_commands.json'; +import rule20 from './eql_modification_of_boot_configuration.json'; +import rule21 from './eql_msbuild_making_network_connections.json'; +import rule22 from './eql_mshta_making_network_connections.json'; +import rule23 from './eql_msxsl_making_network_connections.json'; +import rule24 from './eql_psexec_lateral_movement_command.json'; +import rule25 from './eql_suspicious_ms_office_child_process.json'; +import rule26 from './eql_suspicious_ms_outlook_child_process.json'; +import rule27 from './eql_suspicious_pdf_reader_child_process.json'; +import rule28 from './eql_system_shells_via_services.json'; +import rule29 from './eql_unusual_network_connection_via_rundll32.json'; +import rule30 from './eql_unusual_parentchild_relationship.json'; +import rule31 from './eql_unusual_process_network_connection.json'; +import rule32 from './eql_user_account_creation.json'; +import rule33 from './eql_user_added_to_administrator_group.json'; +import rule34 from './eql_volume_shadow_copy_deletion_via_vssadmin.json'; +import rule35 from './eql_volume_shadow_copy_deletion_via_wmic.json'; +import rule36 from './eql_windows_script_executing_powershell.json'; +import rule37 from './eql_wmic_command_lateral_movement.json'; +import rule38 from './linux_hping_activity.json'; +import rule39 from './linux_iodine_activity.json'; +import rule40 from './linux_kernel_module_activity.json'; +import rule41 from './linux_ldso_process_activity.json'; +import rule42 from './linux_lzop_activity.json'; +import rule43 from './linux_mknod_activity.json'; +import rule44 from './linux_netcat_network_connection.json'; +import rule45 from './linux_network_anomalous_process_using_https_ports.json'; +import rule46 from './linux_nmap_activity.json'; +import rule47 from './linux_nping_activity.json'; +import rule48 from './linux_process_started_in_temp_directory.json'; +import rule49 from './linux_ptrace_activity.json'; +import rule50 from './linux_rawshark_activity.json'; +import rule51 from './linux_shell_activity_by_web_server.json'; +import rule52 from './linux_socat_activity.json'; +import rule53 from './linux_ssh_forwarding.json'; +import rule54 from './linux_strace_activity.json'; +import rule55 from './linux_tcpdump_activity.json'; +import rule56 from './linux_web_download.json'; +import rule57 from './linux_whoami_commmand.json'; +import rule58 from './network_dns_directly_to_the_internet.json'; +import rule59 from './network_ftp_file_transfer_protocol_activity_to_the_internet.json'; +import rule60 from './network_irc_internet_relay_chat_protocol_activity_to_the_internet.json'; +import rule61 from './network_nat_traversal_port_activity.json'; +import rule62 from './network_port_26_activity.json'; +import rule63 from './network_port_8000_activity.json'; +import rule64 from './network_port_8000_activity_to_the_internet.json'; +import rule65 from './network_pptp_point_to_point_tunneling_protocol_activity.json'; +import rule66 from './network_proxy_port_activity_to_the_internet.json'; +import rule67 from './network_rdp_remote_desktop_protocol_from_the_internet.json'; +import rule68 from './network_rdp_remote_desktop_protocol_to_the_internet.json'; +import rule69 from './network_rpc_remote_procedure_call_from_the_internet.json'; +import rule70 from './network_rpc_remote_procedure_call_to_the_internet.json'; +import rule71 from './network_smb_windows_file_sharing_activity_to_the_internet.json'; +import rule72 from './network_smtp_to_the_internet.json'; +import rule73 from './network_sql_server_port_activity_to_the_internet.json'; +import rule74 from './network_ssh_secure_shell_from_the_internet.json'; +import rule75 from './network_ssh_secure_shell_to_the_internet.json'; +import rule76 from './network_telnet_port_activity.json'; +import rule77 from './network_tor_activity_to_the_internet.json'; +import rule78 from './network_vnc_virtual_network_computing_from_the_internet.json'; +import rule79 from './network_vnc_virtual_network_computing_to_the_internet.json'; +import rule80 from './null_user_agent.json'; +import rule81 from './sqlmap_user_agent.json'; +import rule82 from './suricata_base64_encoded_invokecommand_powershell_execution.json'; +import rule83 from './suricata_base64_encoded_newobject_powershell_execution.json'; +import rule84 from './suricata_base64_encoded_startprocess_powershell_execution.json'; +import rule85 from './suricata_category_a_suspicious_string_was_detected.json'; +import rule86 from './suricata_category_attempted_administrator_privilege_gain.json'; +import rule87 from './suricata_category_attempted_denial_of_service.json'; +import rule88 from './suricata_category_attempted_information_leak.json'; +import rule89 from './suricata_category_attempted_login_with_suspicious_username.json'; +import rule90 from './suricata_category_attempted_user_privilege_gain.json'; +import rule91 from './suricata_category_client_using_unusual_port.json'; +import rule92 from './suricata_category_crypto_currency_mining_activity.json'; +import rule93 from './suricata_category_decode_of_an_rpc_query.json'; +import rule94 from './suricata_category_default_username_and_password_login_attempt.json'; +import rule95 from './suricata_category_denial_of_service.json'; +import rule96 from './suricata_category_denial_of_service_attack.json'; +import rule97 from './suricata_category_executable_code_was_detected.json'; +import rule98 from './suricata_category_exploit_kit_activity.json'; +import rule99 from './suricata_category_external_ip_address_retrieval.json'; +import rule100 from './suricata_category_generic_icmp_event.json'; +import rule101 from './suricata_category_generic_protocol_command_decode.json'; +import rule102 from './suricata_category_information_leak.json'; +import rule103 from './suricata_category_large_scale_information_leak.json'; +import rule104 from './suricata_category_malware_command_and_control_activity.json'; +import rule105 from './suricata_category_misc_activity.json'; +import rule106 from './suricata_category_misc_attack.json'; +import rule107 from './suricata_category_network_scan_detected.json'; +import rule108 from './suricata_category_network_trojan_detected.json'; +import rule109 from './suricata_category_nonstandard_protocol_or_event.json'; +import rule110 from './suricata_category_not_suspicious_traffic.json'; +import rule111 from './suricata_category_observed_c2_domain.json'; +import rule112 from './suricata_category_possible_social_engineering_attempted.json'; +import rule113 from './suricata_category_possibly_unwanted_program.json'; +import rule114 from './suricata_category_potential_corporate_privacy_violation.json'; +import rule115 from './suricata_category_potentially_bad_traffic.json'; +import rule116 from './suricata_category_potentially_vulnerable_web_application_access.json'; +import rule117 from './suricata_category_successful_administrator_privilege_gain.json'; +import rule118 from './suricata_category_successful_credential_theft.json'; +import rule119 from './suricata_category_successful_user_privilege_gain.json'; +import rule120 from './suricata_category_suspicious_filename_detected.json'; +import rule121 from './suricata_category_system_call_detected.json'; +import rule122 from './suricata_category_targeted_malicious_activity.json'; +import rule123 from './suricata_category_tcp_connection_detected.json'; +import rule124 from './suricata_category_unknown_traffic.json'; +import rule125 from './suricata_category_unsuccessful_user_privilege_gain.json'; +import rule126 from './suricata_category_web_application_attack.json'; +import rule127 from './suricata_cobaltstrike_artifact_in_an_dns_request.json'; +import rule128 from './suricata_commonly_abused_dns_domain_detected.json'; +import rule129 from './suricata_directory_reversal_characters_in_an_http_request.json'; +import rule130 from './suricata_directory_traversal_characters_in_an_http_request.json'; +import rule131 from './suricata_directory_traversal_characters_in_http_response.json'; +import rule132 from './suricata_directory_traversal_in_downloaded_zip_file.json'; +import rule133 from './suricata_dns_traffic_on_unusual_tcp_port.json'; +import rule134 from './suricata_dns_traffic_on_unusual_udp_port.json'; +import rule135 from './suricata_double_encoded_characters_in_a_uri.json'; +import rule136 from './suricata_double_encoded_characters_in_an_http_post.json'; +import rule137 from './suricata_double_encoded_characters_in_http_request.json'; +import rule138 from './suricata_eval_php_function_in_an_http_request.json'; +import rule139 from './suricata_exploit_cve_2018_1000861.json'; +import rule140 from './suricata_exploit_cve_2019_0227.json'; +import rule141 from './suricata_exploit_cve_2019_0232.json'; +import rule142 from './suricata_exploit_cve_2019_0604.json'; +import rule143 from './suricata_exploit_cve_2019_0708.json'; +import rule144 from './suricata_exploit_cve_2019_0752.json'; +import rule145 from './suricata_exploit_cve_2019_1003000.json'; +import rule146 from './suricata_exploit_cve_2019_10149.json'; +import rule147 from './suricata_exploit_cve_2019_11043.json'; +import rule148 from './suricata_exploit_cve_2019_11510.json'; +import rule149 from './suricata_exploit_cve_2019_11580.json'; +import rule150 from './suricata_exploit_cve_2019_11581.json'; +import rule151 from './suricata_exploit_cve_2019_13450.json'; +import rule152 from './suricata_exploit_cve_2019_13505.json'; +import rule153 from './suricata_exploit_cve_2019_15107.json'; +import rule154 from './suricata_exploit_cve_2019_15846.json'; +import rule155 from './suricata_exploit_cve_2019_16072.json'; +import rule156 from './suricata_exploit_cve_2019_1652.json'; +import rule157 from './suricata_exploit_cve_2019_16662.json'; +import rule158 from './suricata_exploit_cve_2019_16759.json'; +import rule159 from './suricata_exploit_cve_2019_16928.json'; +import rule160 from './suricata_exploit_cve_2019_17270.json'; +import rule161 from './suricata_exploit_cve_2019_1821.json'; +import rule162 from './suricata_exploit_cve_2019_19781.json'; +import rule163 from './suricata_exploit_cve_2019_2618.json'; +import rule164 from './suricata_exploit_cve_2019_2725.json'; +import rule165 from './suricata_exploit_cve_2019_3396.json'; +import rule166 from './suricata_exploit_cve_2019_3929.json'; +import rule167 from './suricata_exploit_cve_2019_5533.json'; +import rule168 from './suricata_exploit_cve_2019_6340.json'; +import rule169 from './suricata_exploit_cve_2019_7256.json'; +import rule170 from './suricata_exploit_cve_2019_9978.json'; +import rule171 from './suricata_ftp_traffic_on_unusual_port_internet_destination.json'; +import rule172 from './suricata_http_traffic_on_unusual_port_internet_destination.json'; +import rule173 from './suricata_imap_traffic_on_unusual_port_internet_destination.json'; +import rule174 from './suricata_lazagne_artifact_in_an_http_post.json'; +import rule175 from './suricata_mimikatz_artifacts_in_an_http_post.json'; +import rule176 from './suricata_mimikatz_string_detected_in_http_response.json'; +import rule177 from './suricata_nondns_traffic_on_tcp_port_53.json'; +import rule178 from './suricata_nondns_traffic_on_udp_port_53.json'; +import rule179 from './suricata_nonftp_traffic_on_port_21.json'; +import rule180 from './suricata_nonhttp_traffic_on_tcp_port_80.json'; +import rule181 from './suricata_nonimap_traffic_on_port_1443_imap.json'; +import rule182 from './suricata_nonsmb_traffic_on_tcp_port_139_smb.json'; +import rule183 from './suricata_nonssh_traffic_on_port_22.json'; +import rule184 from './suricata_nontls_on_tls_port.json'; +import rule185 from './suricata_possible_cobalt_strike_malleable_c2_null_response.json'; +import rule186 from './suricata_possible_sql_injection_sql_commands_in_http_transactions.json'; +import rule187 from './suricata_rpc_traffic_on_http_ports.json'; +import rule188 from './suricata_serialized_php_detected.json'; +import rule189 from './suricata_shell_exec_php_function_in_an_http_post.json'; +import rule190 from './suricata_ssh_traffic_not_on_port_22_internet_destination.json'; +import rule191 from './suricata_tls_traffic_on_unusual_port_internet_destination.json'; +import rule192 from './suricata_windows_executable_served_by_jpeg_web_content.json'; +import rule193 from './windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json'; +import rule194 from './windows_burp_ce_activity.json'; +import rule195 from './windows_certutil_connecting_to_the_internet.json'; +import rule196 from './windows_command_prompt_connecting_to_the_internet.json'; +import rule197 from './windows_command_shell_started_by_internet_explorer.json'; +import rule198 from './windows_command_shell_started_by_powershell.json'; +import rule199 from './windows_command_shell_started_by_svchost.json'; +import rule200 from './windows_credential_dumping_commands.json'; +import rule201 from './windows_credential_dumping_via_imageload.json'; +import rule202 from './windows_credential_dumping_via_registry_save.json'; +import rule203 from './windows_data_compression_using_powershell.json'; +import rule204 from './windows_defense_evasion_decoding_using_certutil.json'; +import rule205 from './windows_defense_evasion_or_persistence_via_hidden_files.json'; +import rule206 from './windows_defense_evasion_via_filter_manager.json'; +import rule207 from './windows_defense_evasion_via_windows_event_log_tools.json'; +import rule208 from './windows_execution_via_compiled_html_file.json'; +import rule209 from './windows_execution_via_connection_manager.json'; +import rule210 from './windows_execution_via_microsoft_html_application_hta.json'; +import rule211 from './windows_execution_via_net_com_assemblies.json'; +import rule212 from './windows_execution_via_regsvr32.json'; +import rule213 from './windows_execution_via_trusted_developer_utilities.json'; +import rule214 from './windows_html_help_executable_program_connecting_to_the_internet.json'; +import rule215 from './windows_image_load_from_a_temp_directory.json'; +import rule216 from './windows_indirect_command_execution.json'; +import rule217 from './windows_iodine_activity.json'; +import rule218 from './windows_management_instrumentation_wmi_execution.json'; +import rule219 from './windows_microsoft_html_application_hta_connecting_to_the_internet.json'; +import rule220 from './windows_mimikatz_activity.json'; +import rule221 from './windows_misc_lolbin_connecting_to_the_internet.json'; +import rule222 from './windows_net_command_activity_by_the_system_account.json'; +import rule223 from './windows_net_user_command_activity.json'; +import rule224 from './windows_netcat_activity.json'; +import rule225 from './windows_netcat_network_activity.json'; +import rule226 from './windows_network_anomalous_windows_process_using_https_ports.json'; +import rule227 from './windows_nmap_activity.json'; +import rule228 from './windows_nmap_scan_activity.json'; +import rule229 from './windows_payload_obfuscation_via_certutil.json'; +import rule230 from './windows_persistence_or_priv_escalation_via_hooking.json'; +import rule231 from './windows_persistence_via_application_shimming.json'; +import rule232 from './windows_persistence_via_bits_jobs.json'; +import rule233 from './windows_persistence_via_modification_of_existing_service.json'; +import rule234 from './windows_persistence_via_netshell_helper_dll.json'; +import rule235 from './windows_powershell_connecting_to_the_internet.json'; +import rule236 from './windows_priv_escalation_via_accessibility_features.json'; +import rule237 from './windows_process_discovery_via_tasklist_command.json'; +import rule238 from './windows_process_execution_via_wmi.json'; +import rule239 from './windows_process_started_by_acrobat_reader_possible_payload.json'; +import rule240 from './windows_process_started_by_ms_office_program_possible_payload.json'; +import rule241 from './windows_process_started_by_the_java_runtime.json'; +import rule242 from './windows_psexec_activity.json'; +import rule243 from './windows_register_server_program_connecting_to_the_internet.json'; +import rule244 from './windows_registry_query_local.json'; +import rule245 from './windows_registry_query_network.json'; +import rule246 from './windows_remote_management_execution.json'; +import rule247 from './windows_scheduled_task_activity.json'; +import rule248 from './windows_script_interpreter_connecting_to_the_internet.json'; +import rule249 from './windows_signed_binary_proxy_execution.json'; +import rule250 from './windows_signed_binary_proxy_execution_download.json'; +import rule251 from './windows_suspicious_process_started_by_a_script.json'; +import rule252 from './windows_whoami_command_activity.json'; +import rule253 from './windows_windump_activity.json'; +import rule254 from './windows_wireshark_activity.json'; +import rule255 from './zeek_notice_capturelosstoo_much_loss.json'; +import rule256 from './zeek_notice_conncontent_gap.json'; +import rule257 from './zeek_notice_connretransmission_inconsistency.json'; +import rule258 from './zeek_notice_dnsexternal_name.json'; +import rule259 from './zeek_notice_ftpbruteforcing.json'; +import rule260 from './zeek_notice_ftpsite_exec_success.json'; +import rule261 from './zeek_notice_heartbleedssl_heartbeat_attack.json'; +import rule262 from './zeek_notice_heartbleedssl_heartbeat_attack_success.json'; +import rule263 from './zeek_notice_heartbleedssl_heartbeat_many_requests.json'; +import rule264 from './zeek_notice_heartbleedssl_heartbeat_odd_length.json'; +import rule265 from './zeek_notice_httpsql_injection_attacker.json'; +import rule266 from './zeek_notice_httpsql_injection_victim.json'; +import rule267 from './zeek_notice_intelnotice.json'; +import rule268 from './zeek_notice_noticetally.json'; +import rule269 from './zeek_notice_packetfiltercannot_bpf_shunt_conn.json'; +import rule270 from './zeek_notice_packetfiltercompile_failure.json'; +import rule271 from './zeek_notice_packetfilterdropped_packets.json'; +import rule272 from './zeek_notice_packetfilterinstall_failure.json'; +import rule273 from './zeek_notice_packetfilterno_more_conn_shunts_available.json'; +import rule274 from './zeek_notice_packetfiltertoo_long_to_compile_filter.json'; +import rule275 from './zeek_notice_protocoldetectorprotocol_found.json'; +import rule276 from './zeek_notice_protocoldetectorserver_found.json'; +import rule277 from './zeek_notice_scanaddress_scan.json'; +import rule278 from './zeek_notice_scanport_scan.json'; +import rule279 from './zeek_notice_signaturescount_signature.json'; +import rule280 from './zeek_notice_signaturesmultiple_sig_responders.json'; +import rule281 from './zeek_notice_signaturesmultiple_signatures.json'; +import rule282 from './zeek_notice_signaturessensitive_signature.json'; +import rule283 from './zeek_notice_signaturessignature_summary.json'; +import rule284 from './zeek_notice_smtpblocklist_blocked_host.json'; +import rule285 from './zeek_notice_smtpblocklist_error_message.json'; +import rule286 from './zeek_notice_smtpsuspicious_origination.json'; +import rule287 from './zeek_notice_softwaresoftware_version_change.json'; +import rule288 from './zeek_notice_softwarevulnerable_version.json'; +import rule289 from './zeek_notice_sshinteresting_hostname_login.json'; +import rule290 from './zeek_notice_sshlogin_by_password_guesser.json'; +import rule291 from './zeek_notice_sshpassword_guessing.json'; +import rule292 from './zeek_notice_sshwatched_country_login.json'; +import rule293 from './zeek_notice_sslcertificate_expired.json'; +import rule294 from './zeek_notice_sslcertificate_expires_soon.json'; +import rule295 from './zeek_notice_sslcertificate_not_valid_yet.json'; +import rule296 from './zeek_notice_sslinvalid_ocsp_response.json'; +import rule297 from './zeek_notice_sslinvalid_server_cert.json'; +import rule298 from './zeek_notice_sslold_version.json'; +import rule299 from './zeek_notice_sslweak_cipher.json'; +import rule300 from './zeek_notice_sslweak_key.json'; +import rule301 from './zeek_notice_teamcymrumalwarehashregistrymatch.json'; +import rule302 from './zeek_notice_traceroutedetected.json'; +import rule303 from './zeek_notice_weirdactivity.json'; export const rawRules = [ rule1, rule2, @@ -650,40 +614,4 @@ export const rawRules = [ rule301, rule302, rule303, - rule304, - rule305, - rule306, - rule307, - rule308, - rule309, - rule310, - rule311, - rule312, - rule313, - rule314, - rule315, - rule316, - rule317, - rule318, - rule319, - rule320, - rule321, - rule322, - rule323, - rule324, - rule325, - rule326, - rule327, - rule328, - rule329, - rule330, - rule331, - rule332, - rule333, - rule334, - rule335, - rule336, - rule337, - rule338, - rule339, ]; diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_java_process_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_java_process_connecting_to_the_internet.json deleted file mode 100644 index 57f37e34ad4d5..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_java_process_connecting_to_the_internet.json +++ /dev/null @@ -1,118 +0,0 @@ -{ - "description": "Linux: Java Process Connecting to the Internet", - "enabled": false, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "process.name", - "negate": false, - "params": { - "query": "java" - }, - "type": "phrase", - "value": "java" - }, - "query": { - "match": { - "process.name": { - "query": "java", - "type": "phrase" - } - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "event.action", - "negate": false, - "params": { - "query": "socket_opened" - }, - "type": "phrase", - "value": "socket_opened" - }, - "query": { - "match": { - "event.action": { - "query": "socket_opened", - "type": "phrase" - } - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "key": "destination.ip", - "negate": true, - "params": { - "query": "127.0.0.1" - }, - "type": "phrase", - "value": "127.0.0.1" - }, - "query": { - "match": { - "destination.ip": { - "query": "127.0.0.1", - "type": "phrase" - } - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", - "key": "destination.ip", - "negate": true, - "params": { - "query": "::1" - }, - "type": "phrase", - "value": "::1" - }, - "query": { - "match": { - "destination.ip": { - "query": "::1", - "type": "phrase" - } - } - } - } - ], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Linux: Java Process Connecting to the Internet", - "query": "not destination.ip: 10.0.0.0/8 and not 172.16.0.0/12", - "risk_score": 50, - "rule_id": "7f65b8c5-27ed-4cf6-a088-3a20d2f84bf5", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity_possible_julianrunnels.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity_possible_julianrunnels.json deleted file mode 100644 index 62203b6c42a5a..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity_possible_julianrunnels.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Linux lzop activity - possible @JulianRunnels", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Linux lzop activity - possible @JulianRunnels", - "query": "process.name:lzop", - "risk_score": 50, - "rule_id": "d89b05b1-9b2b-45ea-9876-4a74550af6a6", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_unusual_shell_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_unusual_shell_activity.json deleted file mode 100644 index a63b2ea7dc522..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_unusual_shell_activity.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "description": "Linux unusual shell activity", - "enabled": false, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "process.name", - "negate": true, - "params": { - "query": "bash" - }, - "type": "phrase", - "value": "bash" - }, - "query": { - "match": { - "process.name": { - "query": "bash", - "type": "phrase" - } - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "process.executable", - "negate": true, - "params": { - "query": "/bin/dash" - }, - "type": "phrase", - "value": "/bin/dash" - }, - "query": { - "match": { - "process.executable": { - "query": "/bin/dash", - "type": "phrase" - } - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "key": "process.name", - "negate": true, - "params": { - "query": "ReportCrash" - }, - "type": "phrase", - "value": "ReportCrash" - }, - "query": { - "match": { - "process.name": { - "query": "ReportCrash", - "type": "phrase" - } - } - } - } - ], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Linux unusual shell activity", - "query": "process.name:*sh", - "risk_score": 50, - "rule_id": "4cc78842-f8a9-4a20-b703-a596c4f24e4f", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/powershell_network_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/powershell_network_connection.json deleted file mode 100644 index 075f77490a237..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/powershell_network_connection.json +++ /dev/null @@ -1,68 +0,0 @@ -{ - "description": "Powershell network connection", - "enabled": false, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.action", - "negate": false, - "params": { - "query": "Network connection detected (rule: NetworkConnect)" - }, - "type": "phrase", - "value": "Network connection detected (rule: NetworkConnect)" - }, - "query": { - "match": { - "event.action": { - "query": "Network connection detected (rule: NetworkConnect)", - "type": "phrase" - } - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "destination.ip", - "negate": true, - "params": { - "query": "169.254.169.254" - }, - "type": "phrase", - "value": "169.254.169.254" - }, - "query": { - "match": { - "destination.ip": { - "query": "169.254.169.254", - "type": "phrase" - } - } - } - } - ], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Powershell network connection", - "query": "process.name:powershell.exe", - "risk_score": 50, - "rule_id": "8e792144-39a6-4a63-9779-2f12719dc132", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_execution_via_wmi.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_execution_via_wmi.json deleted file mode 100644 index 5ed0ad3899b4c..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_execution_via_wmi.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Process Execution via WMI", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Process Execution via WMI", - "query": "process.name:scrcons.exe", - "risk_score": 50, - "rule_id": "14ba7cd9-1489-459b-99a4-153c7a3f9abb", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_acrobat_reader_possible_payload.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_acrobat_reader_possible_payload.json deleted file mode 100644 index c00b88e5f88ef..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_acrobat_reader_possible_payload.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "description": "Process started by Acrobat reader - possible payload", - "enabled": false, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.action", - "negate": false, - "params": { - "query": "Process Create (rule: ProcessCreate)" - }, - "type": "phrase", - "value": "Process Create (rule: ProcessCreate)" - }, - "query": { - "match": { - "event.action": { - "query": "Process Create (rule: ProcessCreate)", - "type": "phrase" - } - } - } - } - ], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Process started by Acrobat reader - possible payload", - "query": "process.parent.name:AcroRd32.exe", - "risk_score": 50, - "rule_id": "c359628d-d5af-4a20-99df-aeeea109b690", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_ms_office_program_possible_payload.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_ms_office_program_possible_payload.json deleted file mode 100644 index 5237b17e7d69f..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_ms_office_program_possible_payload.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "description": "Process started by MS Office program - possible payload", - "enabled": false, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.action", - "negate": false, - "params": { - "query": "Process Create (rule: ProcessCreate)" - }, - "type": "phrase", - "value": "Process Create (rule: ProcessCreate)" - }, - "query": { - "match": { - "event.action": { - "query": "Process Create (rule: ProcessCreate)", - "type": "phrase" - } - } - } - } - ], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Process started by MS Office program - possible payload", - "query": " process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE", - "risk_score": 50, - "rule_id": "3181b814-08e3-43f9-b77a-a2530603b131", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_windows_defender.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_windows_defender.json deleted file mode 100644 index 1a686a4482df6..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_windows_defender.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Process started by Windows Defender", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Process started by Windows Defender", - "query": "parent.process.name:MsMpEng.exe", - "risk_score": 50, - "rule_id": "b3da3321-417d-494b-854c-b40369e063f0", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/psexec_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/psexec_activity.json deleted file mode 100644 index b928e7dc80576..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/psexec_activity.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "PSexec activity", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "PSexec activity", - "query": "process.name:PsExec.exe or process.name:PsExec64.exe", - "risk_score": 50, - "rule_id": "9511b7f4-3898-4813-8bd3-d810b03148ab", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/search_windows_10.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/search_windows_10.json deleted file mode 100644 index ab76b1ed9ff9e..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/search_windows_10.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "description": "(Search) Windows 10", - "enabled": false, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "agent.hostname", - "negate": false, - "params": { - "query": "LAPTOP-CQNI37L2" - }, - "type": "phrase" - }, - "query": { - "match": { - "agent.hostname": { - "query": "LAPTOP-CQNI37L2", - "type": "phrase" - } - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "event.provider", - "negate": false, - "params": { - "query": "Microsoft-Windows-Sysmon" - }, - "type": "phrase" - }, - "query": { - "match": { - "event.provider": { - "query": "Microsoft-Windows-Sysmon", - "type": "phrase" - } - } - } - } - ], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "(Search) Windows 10", - "query": "", - "risk_score": 50, - "rule_id": "5d00c579-794c-4f64-be52-1ed8cae2b11e", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_child_processes_of_spoolsvexe.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_child_processes_of_spoolsvexe.json deleted file mode 100644 index e20197dfd2c92..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_child_processes_of_spoolsvexe.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Splunk - Child Processes of Spoolsv.exe", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Splunk - Child Processes of Spoolsv.exe", - "query": "process.parent.name:spoolsv.exe and not process.name:regsvr32.exe ", - "risk_score": 50, - "rule_id": "2f026c73-bb63-455e-abdf-f11f463acf0d", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_large_outbound_icmp_packets.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_large_outbound_icmp_packets.json deleted file mode 100644 index 11186bfb44d62..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_large_outbound_icmp_packets.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Splunk - Detect Large Outbound ICMP Packets", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Splunk - Detect Large Outbound ICMP Packets", - "query": "network.transport:icmp and network.bytes>1000 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "risk_score": 50, - "rule_id": "e108c0c6-5ee8-47a0-8c23-ec47ba3a9b00", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_long_dns_txt_record_response.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_long_dns_txt_record_response.json deleted file mode 100644 index 724985b2d1de8..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_long_dns_txt_record_response.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Splunk - Detect Long DNS TXT Record Response", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Splunk - Detect Long DNS TXT Record Response", - "query": "network.protocol:dns and server.bytes>100 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16 and not destination.ip:169.254.169.254 and not destination.ip:127.0.0.53", - "risk_score": 50, - "rule_id": "2cdf84be-1c9c-4184-9880-75b9a6ddeaba", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_new_local_admin_account.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_new_local_admin_account.json deleted file mode 100644 index c0e773f09b168..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_new_local_admin_account.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Splunk - Detect New Local Admin account", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Splunk - Detect New Local Admin account", - "query": "event.code:(4720 or 4732) and winlog.event_data.TargetUserName:Administrators", - "risk_score": 50, - "rule_id": "030fc8e4-2c5f-4cc9-a6bd-2b6b7b98ae16", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_psexec_with_accepteula_flag.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_psexec_with_accepteula_flag.json deleted file mode 100644 index f9ad5793f2547..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_psexec_with_accepteula_flag.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Splunk - Detect PsExec With accepteula Flag", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Splunk - Detect PsExec With accepteula Flag", - "query": "process.name:PsExec.exe and process.args:\"-accepteula\"", - "risk_score": 50, - "rule_id": "4b63cf13-9043-41e3-84ec-6e39eb0d407e", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_use_of_cmdexe_to_launch_script_interpreters.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_use_of_cmdexe_to_launch_script_interpreters.json deleted file mode 100644 index 0a67c3adeaea5..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_use_of_cmdexe_to_launch_script_interpreters.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Splunk - Detect Use of cmd.exe to Launch Script Interpreters", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Splunk - Detect Use of cmd.exe to Launch Script Interpreters", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"wscript.exe\" or \"cscript.exe\") and process.parent.name:\"cmd.exe\"", - "risk_score": 50, - "rule_id": "f4388e4c-ec3d-41b3-be5c-27c11f61473c", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_created_by_netsh.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_created_by_netsh.json deleted file mode 100644 index 466f9aff01942..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_created_by_netsh.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Splunk - Processes created by netsh", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Splunk - Processes created by netsh", - "query": "process.parent.name:netsh.exe", - "risk_score": 50, - "rule_id": "ce7a0bde-7406-4729-a075-a215f4571ff6", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_launching_netsh.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_launching_netsh.json deleted file mode 100644 index cc54721cd92f2..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_launching_netsh.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Splunk - Processes launching netsh", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Splunk - Processes launching netsh", - "query": "process.name:netsh.exe and event.action:\"Process Create (rule: ProcessCreate)\" ", - "risk_score": 50, - "rule_id": "600dba95-f1c6-4a4d-aae1-c79cbd8a5ddd", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_protocols_passing_authentication_in_cleartext.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_protocols_passing_authentication_in_cleartext.json deleted file mode 100644 index c68e074d43817..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_protocols_passing_authentication_in_cleartext.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Splunk - Protocols passing authentication in cleartext", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Splunk - Protocols passing authentication in cleartext", - "query": "destination.port:(21 or 23 or 110 or 143) and network.transport:tcp", - "risk_score": 50, - "rule_id": "f4442e7f-856a-4a4a-851b-c1f9b97b0d39", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_windows_event_log_cleared.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_windows_event_log_cleared.json deleted file mode 100644 index 5f36d6623bcfb..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_windows_event_log_cleared.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Splunk - Windows Event Log Cleared", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Splunk - Windows Event Log Cleared", - "query": "event.code:(1102 or 1100)", - "risk_score": 50, - "rule_id": "c0747553-4652-4e74-bc86-898f2daa2bde", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suspicious_process_started_by_a_script.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suspicious_process_started_by_a_script.json deleted file mode 100644 index 37cf174786f97..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suspicious_process_started_by_a_script.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "description": "Suspicious process started by a script", - "enabled": false, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.action", - "negate": false, - "params": { - "query": "Process Create (rule: ProcessCreate)" - }, - "type": "phrase", - "value": "Process Create (rule: ProcessCreate)" - }, - "query": { - "match": { - "event.action": { - "query": "Process Create (rule: ProcessCreate)", - "type": "phrase" - } - } - } - } - ], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suspicious process started by a script", - "query": "(process.parent.name:cmd.exe or process.parent.name:cscript.exe or process.parent.name:mshta.exe or process.parent.name:powershell.exe or process.parent.name:rundll32.exe or process.parent.name:wscript.exe or process.parent.name:wmiprvse.exe) and (process.name:bitsadmin.exe or process.name:certutil.exe or mshta.exe or process.name:nslookup.exe or process.name:schtasks.exe)", - "risk_score": 50, - "rule_id": "e49b532b-3e52-4f3d-90f6-05a86982d347", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windump_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windump_activity.json deleted file mode 100644 index 7b40fc208ecd5..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windump_activity.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "WinDump activity", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "WinDump activity", - "query": "process.name:WinDump.exe", - "risk_score": 50, - "rule_id": "61c56cf4-0c08-4ad5-83ea-d2fe6ac62fa8", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -}