[New Rules] Potential portscan detected (#2817)

* [New Rules] Potential portscan detected

* Updated descriptions

* Update rules/network/discovery_potential_syn_port_scan_detected.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/network/discovery_potential_network_sweep_detected.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/network/discovery_potential_port_scan_detected.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* updating integration manifests and schemas

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

rules/network/discovery_potential_network_sweep_detected.toml

@@ -0,0 +1,68 @@
+[metadata]
+creation_date = "2023/05/17"
+integration = ["endpoint", "network_traffic"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/05/26"
+
+[rule]
+author = ["Elastic"]
+description = '''
+This rule identifies a potential network sweep.  A network sweep is a method used by attackers to scan a target 
+network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and 
+weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized 
+access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts 
+from one source host to 10 or more destination hosts on commonly used network services.
+'''
+from = "now-9m"
+index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Potential Network Sweep Detected"
+
+risk_score = 47
+rule_id = "781f8746-2180-4691-890c-4c96d11ca91d"
+severity = "medium"
+tags = ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"]
+type = "threshold"
+
+query = '''
+destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986)
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1046"
+name = "Network Service Discovery"
+reference = "https://attack.mitre.org/techniques/T1046/"
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1595"
+name = "Active Scanning"
+reference = "https://attack.mitre.org/techniques/T1595/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1595.001"
+name = "Scanning IP Blocks"
+reference = "https://attack.mitre.org/techniques/T1595/001/"
+
+[rule.threat.tactic]
+id = "TA0043"
+name = "Reconnaissance"
+reference = "https://attack.mitre.org/tactics/TA0043/"
+
+[rule.threshold]
+field = ["source.ip"]
+value = 1
+[[rule.threshold.cardinality]]
+field = "destination.ip"
+value = 10

rules/network/discovery_potential_port_scan_detected.toml

@@ -0,0 +1,69 @@
+[metadata]
+creation_date = "2023/05/17"
+integration = ["endpoint", "network_traffic"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/05/26"
+
+[rule]
+author = ["Elastic"]
+description = '''
+This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a 
+target system or network for open ports, allowing them to identify available services and potential vulnerabilities. 
+By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining 
+unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further 
+exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts 
+from one source host to 20 or more destination ports.
+'''
+from = "now-9m"
+index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Potential Network Scan Detected"
+
+risk_score = 47
+rule_id = "0171f283-ade7-4f87-9521-ac346c68cc9b"
+severity = "medium"
+tags = ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"]
+type = "threshold"
+
+query = '''
+destination.port :* and event.action: ("network_flow" or "connection_accepted" or "connection_attempted" )
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1046"
+name = "Network Service Discovery"
+reference = "https://attack.mitre.org/techniques/T1046/"
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1595"
+name = "Active Scanning"
+reference = "https://attack.mitre.org/techniques/T1595/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1595.001"
+name = "Scanning IP Blocks"
+reference = "https://attack.mitre.org/techniques/T1595/001/"
+
+[rule.threat.tactic]
+id = "TA0043"
+name = "Reconnaissance"
+reference = "https://attack.mitre.org/tactics/TA0043/"
+
+[rule.threshold]
+field = ["destination.ip", "source.ip"]
+value = 1
+[[rule.threshold.cardinality]]
+field = "destination.port"
+value = 20

rules/network/discovery_potential_syn_port_scan_detected.toml

@@ -0,0 +1,69 @@
+[metadata]
+creation_date = "2023/05/17"
+integration = ["endpoint", "network_traffic"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/05/26"
+
+[rule]
+author = ["Elastic"]
+description = '''
+This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a 
+target network for open ports by sending SYN packets to multiple ports and observing the response. 
+Attackers use this method to identify potential entry points or services that may be vulnerable to exploitation, 
+allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its 
+security and potentially leading to data breaches or further malicious activities. This rule proposes threshold logic 
+to check for connection attempts from one source host to 10 or more destination ports using 2 or less packets per port.
+'''
+from = "now-9m"
+index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Potential SYN-Based Network Scan Detected"
+
+risk_score = 47
+rule_id = "bbaa96b9-f36c-4898-ace2-581acb00a409"
+severity = "medium"
+tags = ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"]
+type = "threshold"
+
+query = '''
+destination.port :* and network.packets <= 2
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1046"
+name = "Network Service Discovery"
+reference = "https://attack.mitre.org/techniques/T1046/"
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1595"
+name = "Active Scanning"
+reference = "https://attack.mitre.org/techniques/T1595/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1595.001"
+name = "Scanning IP Blocks"
+reference = "https://attack.mitre.org/techniques/T1595/001/"
+
+[rule.threat.tactic]
+id = "TA0043"
+name = "Reconnaissance"
+reference = "https://attack.mitre.org/tactics/TA0043/"
+
+[rule.threshold]
+field = ["destination.ip", "source.ip"]
+value = 1
+[[rule.threshold.cardinality]]
+field = "destination.port"
+value = 10