adds sample rule with mitre attack threats property

dhurley14 · dhurley14 · commit b3045c73c71f · 2019-11-26T19:17:27.000-05:00
diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/root_or_admin_threats.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/root_or_admin_threats.json
@@ -0,0 +1,43 @@
+{
+  "rule_id": "rule-1",
+  "description": "Detecting root and admin users",
+  "index": ["auditbeat-*", "filebeat-*", "packetbeat-*", "winlogbeat-*"],
+  "interval": "5s",
+  "name": "Detect Root/Admin Users",
+  "severity": "high",
+  "risk_score": 1,
+  "type": "query",
+  "from": "now-6s",
+  "to": "now",
+  "query": "user.name: root or user.name: admin",
+  "language": "kuery",
+  "references": ["http://www.example.com", "https://ww.example.com"],
+  "threats": [
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0040",
+        "name": "impact",
+        "reference": "https://attack.mitre.org/tactics/TA0040/"
+      },
+      "technique": {
+        "id": "T1499",
+        "name": "endpoint denial of service",
+        "reference": "https://attack.mitre.org/techniques/T1499/"
+      }
+    },
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "T1020",
+        "name": "Automated Exfiltration",
+        "reference": "https://attack.mitre.org/techniques/T1020/"
+      },
+      "technique": {
+        "id": "T1002",
+        "name": "Data Compressed",
+        "reference": "https://attack.mitre.org/techniques/T1002/"
+      }
+    }
+  ]
+}
