bc5 siem rules merge (#62679) (#62725)

* bc5 rule merge

version changes
field changes to endpoint rules
removed max_signals from 7 rules

* Fixing monitoring i18n (#62715)

* Updates esarchiver test data with the latest rules (#62723)

* Remove CR, only CRLF for rules

* delete two files

for Garrett

* deletes

delete 2 files (for Garrett)

* Revert "deletes"

This reverts commit cc2ac1e.

* Revert "Fixing monitoring i18n (#62715)"

This reverts commit 0285740.

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: Garrett Spong <spong@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

Co-authored-by: The SpaceCake Project <randomuserid@users.noreply.github.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

Author: 4 people

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json

@@ -20,5 +20,5 @@
     "Elastic"
   ],
   "type": "query",
-  "version": 1
+  "version": 2
 }

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json

@@ -20,5 +20,5 @@
     "Elastic"
   ],
   "type": "query",
-  "version": 1
+  "version": 2
 }

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_adversary_behavior_detected.json

@@ -7,7 +7,7 @@
   "interval": "10m",
   "language": "kuery",
   "name": "Adversary Behavior - Detected - Elastic Endpoint",
-  "query": "event.kind:alert and event.module:endgame and event.action:rules_engine_event",
+  "query": "event.kind:alert and event.module:endgame and (event.action:rules_engine_event or endgame.event_subtype_full:rules_engine_event)",
   "risk_score": 47,
   "rule_id": "77a3c3df-8ec4-4da4-b758-878f551dee69",
   "severity": "medium",
@@ -16,5 +16,5 @@
     "Endpoint"
   ],
   "type": "query",
-  "version": 1
+  "version": 2
 }

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_detected.json

@@ -7,7 +7,7 @@
   "interval": "10m",
   "language": "kuery",
   "name": "Credential Dumping - Detected - Elastic Endpoint",
-  "query": "event.kind:alert and event.module:endgame and event.action:cred_theft_event and endgame.metadata.type:detection",
+  "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)",
   "risk_score": 73,
   "rule_id": "571afc56-5ed9-465d-a2a9-045f099f6e7e",
   "severity": "high",
@@ -16,5 +16,5 @@
     "Endpoint"
   ],
   "type": "query",
-  "version": 1
+  "version": 2
 }

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_prevented.json

@@ -7,7 +7,7 @@
   "interval": "10m",
   "language": "kuery",
   "name": "Credential Dumping - Prevented - Elastic Endpoint",
-  "query": "event.kind:alert and event.module:endgame and event.action:cred_theft_event and endgame.metadata.type:prevention",
+  "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)",
   "risk_score": 47,
   "rule_id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13",
   "severity": "medium",
@@ -16,5 +16,5 @@
     "Endpoint"
   ],
   "type": "query",
-  "version": 1
+  "version": 2
 }

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_detected.json

@@ -7,7 +7,7 @@
   "interval": "10m",
   "language": "kuery",
   "name": "Credential Manipulation - Detected - Elastic Endpoint",
-  "query": "event.kind:alert and event.module:endgame and event.action:token_manipulation_event and endgame.metadata.type:detection",
+  "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)",
   "risk_score": 73,
   "rule_id": "c0be5f31-e180-48ed-aa08-96b36899d48f",
   "severity": "high",
@@ -16,5 +16,5 @@
     "Endpoint"
   ],
   "type": "query",
-  "version": 1
+  "version": 2
 }

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_prevented.json

@@ -7,7 +7,7 @@
   "interval": "10m",
   "language": "kuery",
   "name": "Credential Manipulation - Prevented - Elastic Endpoint",
-  "query": "event.kind:alert and event.module:endgame and event.action:token_manipulation_event and endgame.metadata.type:prevention",
+  "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)",
   "risk_score": 47,
   "rule_id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa",
   "severity": "medium",
@@ -16,5 +16,5 @@
     "Endpoint"
   ],
   "type": "query",
-  "version": 1
+  "version": 2
 }

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_detected.json

@@ -7,7 +7,7 @@
   "interval": "10m",
   "language": "kuery",
   "name": "Exploit - Detected - Elastic Endpoint",
-  "query": "event.kind:alert and event.module:endgame and event.action:exploit_event and endgame.metadata.type:detection",
+  "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)",
   "risk_score": 73,
   "rule_id": "2003cdc8-8d83-4aa5-b132-1f9a8eb48514",
   "severity": "high",
@@ -16,5 +16,5 @@
     "Endpoint"
   ],
   "type": "query",
-  "version": 1
+  "version": 2
 }

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_prevented.json

@@ -7,7 +7,7 @@
   "interval": "10m",
   "language": "kuery",
   "name": "Exploit - Prevented - Elastic Endpoint",
-  "query": "event.kind:alert and event.module:endgame and event.action:exploit_event and endgame.metadata.type:prevention",
+  "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)",
   "risk_score": 47,
   "rule_id": "2863ffeb-bf77-44dd-b7a5-93ef94b72036",
   "severity": "medium",
@@ -16,5 +16,5 @@
     "Endpoint"
   ],
   "type": "query",
-  "version": 1
+  "version": 2
 }

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_detected.json

@@ -7,7 +7,7 @@
   "interval": "10m",
   "language": "kuery",
   "name": "Malware - Detected - Elastic Endpoint",
-  "query": "event.kind:alert and event.module:endgame and event.action:file_classification_event and endgame.metadata.type:detection",
+  "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)",
   "risk_score": 99,
   "rule_id": "0a97b20f-4144-49ea-be32-b540ecc445de",
   "severity": "critical",
@@ -16,5 +16,5 @@
     "Endpoint"
   ],
   "type": "query",
-  "version": 1
+  "version": 2
 }