[Detections] Adds automatic updating for Prebuilt Security Detection …

…Rules package (#101846)

* Automatically install and update the security_detection_engine package
* Remove security_detection_engine from required Fleet packages
* Update fleet package-registry image
* Add sha256: to the distribution package
* Use distribution from https://beats-ci.elastic.co/job/Ingest-manager/job/release-distribution/152
* Change fleet required packag
* Fix bad merge
* Update rules to 0.13.1 package
* Fix NOTICE.txt

NOTICE.txt

@@ -149,17 +149,17 @@ SOFTWARE.
 
 ---
 Detection Rules
-Copyright 2020 Elasticsearch B.V.
+Copyright 2021 Elasticsearch B.V.
 
 ---
 This product bundles rules based on https://github.com/BlueTeamLabs/sentinel-attack
-which is available under a "MIT" license. The files based on this license are:
+which is available under a "MIT" license. The rules based on this license are:
 
-- defense_evasion_via_filter_manager
-- discovery_process_discovery_via_tasklist_command
-- persistence_priv_escalation_via_accessibility_features
-- persistence_via_application_shimming
-- defense_evasion_execution_via_trusted_developer_utilities
+- "Potential Evasion via Filter Manager" (06dceabf-adca-48af-ac79-ffdf4c3b1e9a)
+- "Process Discovery via Tasklist" (cc16f774-59f9-462d-8b98-d27ccd4519ec)
+- "Potential Modification of Accessibility Binaries" (7405ddf1-6c8e-41ce-818f-48bea6bcaed8)
+- "Potential Application Shimming via Sdbinst" (fd4a992d-6130-4802-9ff8-829b89ae801f)
+- "Trusted Developer Application Usage" (9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1)
 
 MIT License
 
@@ -185,9 +185,9 @@ SOFTWARE.
 
 ---
 This product bundles rules based on https://github.com/FSecureLABS/leonidas
-which is available under a "MIT" license. The files based on this license are:
+which is available under a "MIT" license. The rules based on this license are:
 
-- credential_access_secretsmanager_getsecretvalue.toml
+- "AWS Access Secret in Secrets Manager" (a00681e3-9ed6-447c-ab2c-be648821c622)
 
 MIT License
 

x-pack/plugins/security_solution/public/app/home/index.tsx

@@ -17,7 +17,7 @@ import { useInitSourcerer, useSourcererScope } from '../../common/containers/sou
 import { useKibana } from '../../common/lib/kibana';
 import { DETECTIONS_SUB_PLUGIN_ID } from '../../../common/constants';
 import { SourcererScopeName } from '../../common/store/sourcerer/model';
-import { useUpgradeEndpointPackage } from '../../common/hooks/endpoint/upgrade';
+import { useUpgradeSecurityPackages } from '../../common/hooks/use_upgrade_security_packages';
 import { GlobalHeader } from './global_header';
 import { SecuritySolutionTemplateWrapper } from './template_wrapper';
 
@@ -56,7 +56,7 @@ const HomePageComponent: React.FC<HomePageProps> = ({
   // tabs in the app. This is useful for keeping the endpoint package as up to date as possible until
   // a background task solution can be built on the server side. Once a background task solution is available we
   // can remove this.
-  useUpgradeEndpointPackage();
+  useUpgradeSecurityPackages();
 
   return (
     <SecuritySolutionAppWrapper className="kbnAppWrapper">

x-pack/plugins/security_solution/public/common/hooks/endpoint/upgrade.ts → x-pack/plugins/security_solution/public/common/hooks/use_upgrade_security_packages.ts

@@ -6,31 +6,31 @@
  */
 
 import { useEffect } from 'react';
-import { HttpFetchOptions, HttpStart } from 'src/core/public';
-import { useKibana } from '../../../../../../../src/plugins/kibana_react/public';
+import { HttpFetchOptions, HttpStart } from 'kibana/public';
+import { useKibana } from '../../../../../../src/plugins/kibana_react/public';
 import {
   epmRouteService,
   appRoutesService,
   CheckPermissionsResponse,
   BulkInstallPackagesResponse,
-} from '../../../../../fleet/common';
-import { StartServices } from '../../../types';
-import { useIngestEnabledCheck } from './ingest_enabled';
+} from '../../../../fleet/common';
+import { StartServices } from '../../types';
+import { useIngestEnabledCheck } from './endpoint/ingest_enabled';
 
 /**
- * Requests that the endpoint package be upgraded to the latest version
+ * Requests that the endpoint and security_detection_engine package be upgraded to the latest version
  *
  * @param http an http client for sending the request
  * @param options an object containing options for the request
  */
-const sendUpgradeEndpointPackage = async (
+const sendUpgradeSecurityPackages = async (
   http: HttpStart,
   options: HttpFetchOptions = {}
 ): Promise<BulkInstallPackagesResponse> => {
   return http.post<BulkInstallPackagesResponse>(epmRouteService.getBulkInstallPath(), {
     ...options,
     body: JSON.stringify({
-      packages: ['endpoint'],
+      packages: ['endpoint', 'security_detection_engine'],
     }),
   });
 };
@@ -51,7 +51,7 @@ const sendCheckPermissions = async (
   });
 };
 
-export const useUpgradeEndpointPackage = () => {
+export const useUpgradeSecurityPackages = () => {
   const context = useKibana<StartServices>();
   const { allEnabled: ingestEnabled } = useIngestEnabledCheck();
 
@@ -79,7 +79,7 @@ export const useUpgradeEndpointPackage = () => {
           }
 
           // ignore the response for now since we aren't notifying the user
-          await sendUpgradeEndpointPackage(context.services.http, { signal });
+          await sendUpgradeSecurityPackages(context.services.http, { signal });
         } catch (error) {
           // Ignore Errors, since this should not hinder the user's ability to use the UI
 

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_403_response_to_a_post.json

@@ -12,7 +12,7 @@
   "language": "kuery",
   "license": "Elastic License v2",
   "name": "Web Application Suspicious Activity: POST Request Declined",
-  "query": "http.response.status_code:403 and http.request.method:post",
+  "query": "http.response.status_code:403 and http.request.method:post\n",
   "references": [
     "https://en.wikipedia.org/wiki/HTTP_403"
   ],

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_405_response_method_not_allowed.json

@@ -12,7 +12,7 @@
   "language": "kuery",
   "license": "Elastic License v2",
   "name": "Web Application Suspicious Activity: Unauthorized Method",
-  "query": "http.response.status_code:405",
+  "query": "http.response.status_code:405\n",
   "references": [
     "https://en.wikipedia.org/wiki/HTTP_405"
   ],

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_null_user_agent.json

@@ -30,7 +30,7 @@
   "language": "kuery",
   "license": "Elastic License v2",
   "name": "Web Application Suspicious Activity: No User Agent",
-  "query": "url.path:*",
+  "query": "url.path:*\n",
   "references": [
     "https://en.wikipedia.org/wiki/User_agent"
   ],

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_sqlmap_user_agent.json

@@ -12,7 +12,7 @@
   "language": "kuery",
   "license": "Elastic License v2",
   "name": "Web Application Suspicious Activity: sqlmap User Agent",
-  "query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"",
+  "query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"\n",
   "references": [
     "http://sqlmap.org/"
   ],

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/application_added_to_google_workspace_domain.json

@@ -16,7 +16,7 @@
   "license": "Elastic License v2",
   "name": "Application Added to Google Workspace Domain",
   "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
-  "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION",
+  "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION\n",
   "references": [
     "https://support.google.com/a/answer/6328701?hl=en#"
   ],

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/attempt_to_deactivate_okta_network_zone.json

@@ -14,7 +14,7 @@
   "license": "Elastic License v2",
   "name": "Attempt to Deactivate an Okta Network Zone",
   "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
-  "query": "event.dataset:okta.system and event.action:zone.deactivate",
+  "query": "event.dataset:okta.system and event.action:zone.deactivate\n",
   "references": [
     "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm",
     "https://developer.okta.com/docs/reference/api/system-log/",

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/attempt_to_delete_okta_network_zone.json

@@ -14,7 +14,7 @@
   "license": "Elastic License v2",
   "name": "Attempt to Delete an Okta Network Zone",
   "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
-  "query": "event.dataset:okta.system and event.action:zone.delete",
+  "query": "event.dataset:okta.system and event.action:zone.delete\n",
   "references": [
     "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm",
     "https://developer.okta.com/docs/reference/api/system-log/",

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_cloudtrail_logging_created.json

@@ -16,7 +16,7 @@
   "license": "Elastic License v2",
   "name": "AWS CloudTrail Log Created",
   "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
-  "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success",
+  "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success\n",
   "references": [
     "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateTrail.html",
     "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html"

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_gcp_pub_sub_subscription_creation.json

@@ -14,7 +14,7 @@
   "license": "Elastic License v2",
   "name": "GCP Pub/Sub Subscription Creation",
   "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
-  "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success",
+  "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success\n",
   "references": [
     "https://cloud.google.com/pubsub/docs/overview"
   ],

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_gcp_pub_sub_topic_creation.json

@@ -14,7 +14,7 @@
   "license": "Elastic License v2",
   "name": "GCP Pub/Sub Topic Creation",
   "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
-  "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success",
+  "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success\n",
   "references": [
     "https://cloud.google.com/pubsub/docs/admin"
   ],

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_microsoft_365_new_inbox_rule.json

@@ -17,7 +17,7 @@
   "license": "Elastic License v2",
   "name": "Microsoft 365 New Inbox Rule Created",
   "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
-  "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-InboxRule\" and event.outcome:success",
+  "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-InboxRule\" and event.outcome:success\n",
   "references": [
     "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide",
     "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps",

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_update_event_hub_auth_rule.json

@@ -15,7 +15,7 @@
   "license": "Elastic License v2",
   "name": "Azure Event Hub Authorization Rule Created or Updated",
   "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
-  "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE\" and event.outcome:(Success or success)",
+  "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE\" and event.outcome:(Success or success)\n",
   "references": [
     "https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature"
   ],

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_certutil_network_connection.json

@@ -12,7 +12,10 @@
   "language": "eql",
   "license": "Elastic License v2",
   "name": "Network Connection via Certutil",
-  "query": "sequence by process.entity_id\n  [process where process.name : \"certutil.exe\" and event.type == \"start\"]\n  [network where process.name : \"certutil.exe\" and\n    not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
+  "query": "sequence by process.entity_id\n  [process where process.name : \"certutil.exe\" and event.type == \"start\"]\n  [network where process.name : \"certutil.exe\" and\n    not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n                                  \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n                                  \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n                                  \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n                                  \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n                                  \"FE80::/10\", \"FF00::/8\")]\n",
+  "references": [
+    "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+  ],
   "risk_score": 21,
   "rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8",
   "severity": "low",
@@ -41,5 +44,5 @@
     }
   ],
   "type": "eql",
-  "version": 5
+  "version": 6
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_cobalt_strike_beacon.json

@@ -13,7 +13,7 @@
   "license": "Elastic License v2",
   "name": "Cobalt Strike Command and Control Beacon",
   "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.",
-  "query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\\..*/",
+  "query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\\..*/\n",
   "references": [
     "https://blog.morphisec.com/fin7-attacks-restaurant-industry",
     "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html"

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_cobalt_strike_default_teamserver_cert.json

@@ -11,7 +11,7 @@
   "license": "Elastic License v2",
   "name": "Default Cobalt Strike Team Server Certificate",
   "note": "## Threat intel\n\nWhile Cobalt Strike is intended to be used for penetration tests and IR training, it is frequently used by actual threat actors (TA) such as APT19, APT29, APT32, APT41, FIN6, DarkHydrus, CopyKittens, Cobalt Group, Leviathan, and many other unnamed criminal TAs. This rule uses high-confidence atomic indicators, alerts should be investigated rapidly.",
-  "query": "event.category:(network or network_traffic) and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C or tls.server.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C)",
+  "query": "event.category:(network or network_traffic) and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or\n  tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C or\n  tls.server.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C)\n",
   "references": [
     "https://attack.mitre.org/software/S0154/",
     "https://www.cobaltstrike.com/help-setup-collaboration",

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_dns_directly_to_the_internet.json

@@ -13,10 +13,11 @@
   "language": "kuery",
   "license": "Elastic License v2",
   "name": "DNS Activity to the Internet",
-  "query": "event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or 255.255.255.255 or \"::1\" or \"FE80::/10\" or \"FF00::/8\")",
+  "query": "event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns)\n  and source.ip:(\n    10.0.0.0/8 or\n    172.16.0.0/12 or\n    192.168.0.0/16\n  ) and\n  not destination.ip:(\n    10.0.0.0/8 or\n    127.0.0.0/8 or\n    169.254.0.0/16 or\n    172.16.0.0/12 or\n    192.0.0.0/24 or\n    192.0.0.0/29 or\n    192.0.0.8/32 or\n    192.0.0.9/32 or\n    192.0.0.10/32 or\n    192.0.0.170/32 or\n    192.0.0.171/32 or\n    192.0.2.0/24 or\n    192.31.196.0/24 or\n    192.52.193.0/24 or\n    192.168.0.0/16 or\n    192.88.99.0/24 or\n    224.0.0.0/4 or\n    100.64.0.0/10 or\n    192.175.48.0/24 or\n    198.18.0.0/15 or\n    198.51.100.0/24 or\n    203.0.113.0/24 or\n    240.0.0.0/4 or\n    \"::1\" or\n    \"FE80::/10\" or\n    \"FF00::/8\"\n  )\n",
   "references": [
     "https://www.us-cert.gov/ncas/alerts/TA15-240A",
-    "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf"
+    "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf",
+    "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
   ],
   "risk_score": 47,
   "rule_id": "6ea71ff0-9e95-475b-9506-2580d1ce6154",
@@ -40,5 +41,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 8
+  "version": 9
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_dns_tunneling_nslookup.json

@@ -12,7 +12,7 @@
   "language": "kuery",
   "license": "Elastic License v2",
   "name": "Potential DNS Tunneling via NsLookup",
-  "query": "event.category:process and event.type:start and process.name:nslookup.exe and process.args:(-querytype=* or -qt=* or -q=* or -type=*)",
+  "query": "event.category:process and event.type:start and process.name:nslookup.exe and process.args:(-querytype=* or -qt=* or -q=* or -type=*)\n",
   "references": [
     "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/"
   ],

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_download_rar_powershell_from_internet.json

@@ -13,10 +13,11 @@
   "license": "Elastic License v2",
   "name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet",
   "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.",
-  "query": "event.category:(network OR network_traffic) AND network.protocol:http AND url.path:/.*(rar|ps1)/ AND source.ip:(10.0.0.0\\/8 OR 172.16.0.0\\/12 OR 192.168.0.0\\/16)",
+  "query": "event.category:(network or network_traffic) and network.protocol:http and\n  (url.extension:(ps1 or rar) or url.path:(*.ps1 or *.rar)) and\n    not destination.ip:(\n      10.0.0.0/8 or\n      127.0.0.0/8 or\n      169.254.0.0/16 or\n      172.16.0.0/12 or\n      192.0.0.0/24 or\n      192.0.0.0/29 or\n      192.0.0.8/32 or\n      192.0.0.9/32 or\n      192.0.0.10/32 or\n      192.0.0.170/32 or\n      192.0.0.171/32 or\n      192.0.2.0/24 or\n      192.31.196.0/24 or\n      192.52.193.0/24 or\n      192.168.0.0/16 or\n      192.88.99.0/24 or\n      224.0.0.0/4 or\n      100.64.0.0/10 or\n      192.175.48.0/24 or\n      198.18.0.0/15 or\n      198.51.100.0/24 or\n      203.0.113.0/24 or\n      240.0.0.0/4 or\n      \"::1\" or\n      \"FE80::/10\" or\n      \"FF00::/8\"\n    ) and\n    source.ip:(\n      10.0.0.0/8 or\n      172.16.0.0/12 or\n      192.168.0.0/16\n    )\n",
   "references": [
     "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
-    "https://www.justice.gov/opa/press-release/file/1084361/download"
+    "https://www.justice.gov/opa/press-release/file/1084361/download",
+    "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
   ],
   "risk_score": 47,
   "rule_id": "ff013cb4-274d-434a-96bb-fe15ddd3ae92",
@@ -46,5 +47,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 4
+  "version": 5
 }