[New Rule] Multiple Vault Web credentials were read (#2281)

* [New Rule] Multiple Vault Web credentials were read

https://github.com/elastic/detection-rules/issues/2164

* Update credential_access_saved_creds_vault_winlog.toml

* Update non-ecs-schema.json

* Update rules/windows/credential_access_saved_creds_vault_winlog.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

detection_rules/etc/non-ecs-schema.json

@@ -38,6 +38,8 @@
         "TargetLogonId": "keyword",
         "TargetProcessGUID": "keyword",
         "TargetSid": "keyword", 
+      	"SchemaFriendlyName": "keyword",
+	      "Resource": "keyword",
         "PrivilegeList": "keyword", 
         "AuthenticationPackageName" : "keyword", 
         "TargetUserSid" : "keyword", 

rules/windows/credential_access_saved_creds_vault_winlog.toml

@@ -0,0 +1,68 @@
+[metadata]
+creation_date = "2022/08/30"
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2022/08/30"
+
+[rule]
+author = ["Elastic"]
+description = """
+Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected
+applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for
+saved usernames and passwords. This may also be performed in preparation of lateral movement.
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-system.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Multiple Vault Web Credentials Read"
+note = """## Setup
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
+references = ["https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382",]
+risk_score = 47
+rule_id = "44fc462c-1159-4fa8-b1b7-9b6296ab4f96"
+severity = "medium"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
+type = "eql"
+
+query = '''
+sequence by host.id, winlog.process.pid with maxspan=1s
+
+ /* 2 consecutive vault reads from same pid for web creds */
+
+ [any where event.code : "5382" and
+  (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" or winlog.event_data.Resource : "http*") and
+  not winlog.event_data.SubjectLogonId : "0x3e7"]
+
+ [any where event.code : "5382" and
+  (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" or winlog.event_data.Resource : "http*") and
+  not winlog.event_data.SubjectLogonId : "0x3e7"]
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1003"
+name = "OS Credential Dumping"
+reference = "https://attack.mitre.org/techniques/T1003/"
+
+[[rule.threat.technique]]
+id = "T1555"
+name = "Credentials from Password Stores"
+reference = "https://attack.mitre.org/techniques/T1555/"
+[[rule.threat.technique.subtechnique]]
+id = "T1555.004"
+name = "Windows Credential Manager"
+reference = "https://attack.mitre.org/techniques/T1555/004/"
+
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+