Updating detections and adding a new one

[dluxtron]

DL PR

Updates to existing ESCU Detections

detect_large_outbound_icmp_packets.yml

• Added Risk Message
• Updated Risk Object from dest to dest_ip
• Added another risk object for src_ip
• Added the renamed field to the values commands
• Added filtering for dest_ips to the where clause of the tstats command
• Added iplocation

detect_outbound_smb_traffic.yml

• All_Traffic.direction is not populated by all firewall logs, added internal to external logic to the where clause of the tstats instaed
• Added dest_port and dest_ip to the by clause of the tstats for better filtering & RBA experience
• Added iplocation

remote_desktop_network_bruteforce.yml

• Updated search logic to use port 3389 as well (customer didn't have the RDP app resolving)
• Added filtering for allowed traffic only - inbound blocked traffic was triggering this rule
• Added src as a risk object

remote_desktop_network_traffic.yml

• Added risk message

smb_traffic_spike.yml

• Added risk message
• Added src as risk object

high_volume_of_bytes_out_to_url.yml

• Moved from Network folder to web folder

java_class_file_download_by_java_user_agent.yml

• Moved from Network folder to web folder

multiple_archive_files_http_post_traffic.yml

• Moved from Network folder to web folder

plain_http_post_exfiltrated_data.yml

• Moved from Network folder to web folder

unusually_long_content_type_length.yml

• Moved from Network folder to web folder
• Rewrote detection to use Web Datamodel
• Added risk message
• Added risk object for src

Added new detection

internal_horizontal_port_scan_nmap_top_20.yml Same as the other internal horizontal port scan, but focused on the nmap top 20.