Alright, here you go:
{
"took" : 6351,
"timed_out" : false,
"_shards" : {
"total" : 73,
"successful" : 73,
"skipped" : 56,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 854,
"relation" : "eq"
},
"max_score" : 2.1661859,
"hits" : [
{
"_index" : ".kibana_7.17.2_001",
"_type" : "_doc",
"_id" : "XXX:exception-list:072a2390-92ff-11eb-9090-8f2969880775",
"_score" : 2.1661859,
"_source" : {
"exception-list" : {
"created_at" : "2021-04-01T15:29:19.945Z",
"created_by" : "XXX",
"description" : "Any interaction with dionaea honeypot.",
"immutable" : false,
"list_id" : "5cd489a6-4533-44ff-b38a-bc5d93052915",
"list_type" : "list",
"name" : "Dionaea interaction",
"os_types" : [ ],
"tags" : [ ],
"tie_breaker_id" : "2e17679f-a1f7-4318-be28-9022265fd597",
"type" : "detection",
"updated_by" : "XXX",
"version" : 1
},
"type" : "exception-list",
"references" : [ ],
"namespace" : "XXX",
"migrationVersion" : {
"exception-list" : "7.12.0"
},
"coreMigrationVersion" : "7.17.2",
"updated_at" : "2021-04-01T15:29:19.952Z"
}
},
{
"_index" : ".kibana_7.17.2_001",
"_type" : "_doc",
"_id" : "XXX:exception-list:b37ac880-2b4c-11ec-b68a-ab868ee1c135",
"_score" : 2.1661859,
"_source" : {
"exception-list" : {
"created_at" : "2021-10-12T11:08:17.031Z",
"created_by" : "XXX",
"description" : "Adversaries may attempt to get information about running processes on a system.",
"immutable" : false,
"list_id" : "76288ec6-4e6b-4c52-9088-5761aa52293f",
"list_type" : "list",
"name" : "Process Discovery via Tasklist",
"os_types" : [ ],
"tags" : [ ],
"tie_breaker_id" : "3984f513-b499-45e8-91f3-046beb6c4715",
"type" : "detection",
"updated_by" : "XXX",
"version" : 1
},
"type" : "exception-list",
"references" : [ ],
"namespace" : "XXX",
"migrationVersion" : {
"exception-list" : "7.12.0"
},
"coreMigrationVersion" : "7.17.2",
"updated_at" : "2021-10-12T11:08:17.046Z"
}
},
{
"_index" : ".kibana_7.17.2_001",
"_type" : "_doc",
"_id" : "XXX:exception-list:0c8f93c0-29a9-11eb-a164-fd3748a12a8e",
"_score" : 2.1661859,
"_source" : {
"exception-list" : {
"_tags" : [ ],
"created_at" : "2020-11-18T14:19:20.183Z",
"created_by" : "XXX",
"description" : "Malware DNS Trap is used to identify compromised clients attempting to access known malicious domains. When this feature is enabled, gateway does not block DNS requests that were identified as malicious. The response is tampered and a false (bogus) IP address is returned to the client. Using the Malware DNS Trap you can then detect compromised clients by checking logs with connection attempts to the false IP address. Consecutive connections addressed to the bogus IP are blocked. The default value for DNS trap IP is 62.0.58.94. ",
"immutable" : false,
"list_id" : "f4b1b75a-87fb-4d08-bfb7-02488ebdbb6e",
"list_type" : "list",
"name" : "Checkpoint DNS trap",
"tags" : [ ],
"tie_breaker_id" : "e7b5a7a1-1239-4fa8-a792-a73fe639e19f",
"type" : "detection",
"updated_by" : "XXX",
"version" : 1
},
"type" : "exception-list",
"references" : [ ],
"namespace" : "XXX",
"migrationVersion" : {
"exception-list" : "7.12.0"
},
"coreMigrationVersion" : "7.17.2",
"updated_at" : "2020-11-18T14:19:20.188Z"
}
},
{
"_index" : ".kibana_7.17.2_001",
"_type" : "_doc",
"_id" : "XXX:exception-list:67d42a60-01cb-11ed-87b0-a5d4c1d9b2c5",
"_score" : 2.1661859,
"_source" : {
"exception-list" : {
"created_at" : "2022-07-12T10:14:25.030Z",
"created_by" : "XXX",
"description" : "Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation.",
"immutable" : false,
"list_id" : "a3cec274-98ad-4bac-8eaa-137f15726b46",
"list_type" : "list",
"name" : "Unusual File Modification by dns.exe",
"os_types" : [ ],
"tags" : [ ],
"tie_breaker_id" : "991caf08-080a-4eb8-82f2-961032fe1043",
"type" : "detection",
"updated_by" : "XXX",
"version" : 1
},
"type" : "exception-list",
"references" : [ ],
"namespace" : "XXX",
"migrationVersion" : {
"exception-list" : "7.12.0"
},
"coreMigrationVersion" : "7.17.2",
"updated_at" : "2022-07-12T10:14:25.037Z"
}
},
{
"_index" : ".kibana_7.17.2_001",
"_type" : "_doc",
"_id" : "XXX:exception-list:4fb5fc40-d5e0-11ec-82db-49f2e96bbcbc",
"_score" : 2.1661859,
"_source" : {
"exception-list" : {
"created_at" : "2022-05-17T12:53:12.836Z",
"created_by" : "XXX",
"description" : """Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious.""",
"immutable" : false,
"list_id" : "457831c8-9cb6-4c7d-9093-14990062a4cf",
"list_type" : "list",
"name" : "Suspicious In-Memory Module Execution",
"os_types" : [ ],
"tags" : [ ],
"tie_breaker_id" : "f20ca6c1-cd25-4f5e-bfb4-26a1b56c39f7",
"type" : "detection",
"updated_by" : "XXX",
"version" : 1
},
"type" : "exception-list",
"references" : [ ],
"namespace" : "XXX",
"migrationVersion" : {
"exception-list" : "7.12.0"
},
"coreMigrationVersion" : "7.17.2",
"updated_at" : "2022-05-17T12:53:12.844Z"
}
},
{
"_index" : ".kibana_7.17.2_001",
"_type" : "_doc",
"_id" : "XXX:exception-list:57134330-d5e5-11ec-82db-49f2e96bbcbc",
"_score" : 2.1661859,
"_source" : {
"exception-list" : {
"created_at" : "2022-05-17T13:29:12.674Z",
"created_by" : "XXX",
"description" : """This rule detects network events that may indicate the use of SSH traffic
from the Internet. SSH is commonly used by system administrators to remotely
control a system using the command line shell. If it is exposed to the Internet,
it should be done with strong security controls as it is frequently targeted and
exploited by threat actors as an initial access or back-door vector.
""",
"immutable" : false,
"list_id" : "f946a9cd-129f-4e43-b7ee-a145b1e1de03",
"list_type" : "list",
"name" : "SSH (Secure Shell) to the Internet",
"os_types" : [ ],
"tags" : [ ],
"tie_breaker_id" : "72599801-9312-4ec5-94d5-61568bff0bcb",
"type" : "detection",
"updated_by" : "XXX",
"version" : 1
},
"type" : "exception-list",
"references" : [ ],
"namespace" : "XXX",
"migrationVersion" : {
"exception-list" : "7.12.0"
},
"coreMigrationVersion" : "7.17.2",
"updated_at" : "2022-05-17T13:29:12.683Z"
}
},
{
"_index" : ".kibana_7.17.2_001",
"_type" : "_doc",
"_id" : "exception-list:887927b0-882d-11ec-beea-cf06de1ba3b9",
"_score" : 2.1661859,
"_source" : {
"exception-list" : {
"created_at" : "2022-02-07T15:49:28.619Z",
"created_by" : "XXX",
"description" : """This rule detects events that may indicate use of a PPTP VPN connection. Some
threat actors use these types of connections to tunnel their traffic while
avoiding detection.
""",
"immutable" : false,
"list_id" : "461af834-d78b-4218-90a2-58f893166005",
"list_type" : "list",
"name" : "PPTP (Point to Point Tunneling Protocol) Activity",
"os_types" : [ ],
"tags" : [ ],
"tie_breaker_id" : "1da66c06-70c2-4bc4-a8bd-b3d1b3e197d2",
"type" : "detection",
"updated_by" : "XXX",
"version" : 1
},
"type" : "exception-list",
"references" : [ ],
"migrationVersion" : {
"exception-list" : "7.12.0"
},
"coreMigrationVersion" : "7.17.2",
"updated_at" : "2022-02-07T15:49:28.627Z"
}
},
{
"_index" : ".kibana_7.17.2_001",
"_type" : "_doc",
"_id" : "XXX:exception-list:9534bce0-e1be-11ec-87b0-a5d4c1d9b2c5",
"_score" : 2.1661859,
"_source" : {
"exception-list" : {
"created_at" : "2022-06-01T15:22:00.494Z",
"created_by" : "XXX",
"description" : """This rule detects events that may describe SMTP traffic from internal
hosts to a host across the Internet. In an enterprise network, there is typically
a dedicated internal host that performs this function. It is also
frequently abused by threat actors for command and control, or data exfiltration.
""",
"immutable" : false,
"list_id" : "0dc2ccb8-9680-4883-a546-2a1bca188deb",
"list_type" : "list",
"name" : "SMTP to the Internet",
"os_types" : [ ],
"tags" : [ ],
"tie_breaker_id" : "14c899c5-0448-4a72-8eef-321783c52233",
"type" : "detection",
"updated_by" : "XXX",
"version" : 1
},
"type" : "exception-list",
"references" : [ ],
"namespace" : "XXX",
"migrationVersion" : {
"exception-list" : "7.12.0"
},
"coreMigrationVersion" : "7.17.2",
"updated_at" : "2022-06-01T15:22:00.502Z"
}
},
{
"_index" : ".kibana_7.17.2_001",
"_type" : "_doc",
"_id" : "XXX:exception-list:c162e610-e1bf-11ec-87b0-a5d4c1d9b2c5",
"_score" : 2.1661859,
"_source" : {
"exception-list" : {
"created_at" : "2022-06-01T15:30:24.113Z",
"created_by" : "XXX",
"description" : """This rule detects events that may describe database traffic
(MS SQL, Oracle, MySQL, and Postgresql) across the Internet. Databases
should almost never be directly exposed to the Internet, as they are
frequently targeted by threat actors to gain initial access to network resources.
""",
"immutable" : false,
"list_id" : "f9b00789-6f61-4027-b7e7-630ffbd445b1",
"list_type" : "list",
"name" : "SQL Traffic to the Internet",
"os_types" : [ ],
"tags" : [ ],
"tie_breaker_id" : "6b3ea150-bf80-4d6b-91a9-4796e8f8bc86",
"type" : "detection",
"updated_by" : "XXX",
"version" : 1
},
"type" : "exception-list",
"references" : [ ],
"namespace" : "XXX",
"migrationVersion" : {
"exception-list" : "7.12.0"
},
"coreMigrationVersion" : "7.17.2",
"updated_at" : "2022-06-01T15:30:24.124Z"
}
},
{
"_index" : ".kibana_7.17.2_001",
"_type" : "_doc",
"_id" : "XXX:exception-list:d8122140-e1c0-11ec-87b0-a5d4c1d9b2c5",
"_score" : 2.1661859,
"_source" : {
"exception-list" : {
"created_at" : "2022-06-01T15:38:11.668Z",
"created_by" : "XXX",
"description" : """This rule detects events that use common ports for Internet Relay Chat (IRC) to the Internet.
IRC is a common protocol that can be used for chat and file transfers. This
protocol is also a good candidate for remote control of malware and data
transfers to and from a network.
""",
"immutable" : false,
"list_id" : "eb029e9f-6a9b-404a-9aa9-d35ee38f1fd7",
"list_type" : "list",
"name" : "IRC (Internet Relay Chat) Protocol Activity to the Internet",
"os_types" : [ ],
"tags" : [ ],
"tie_breaker_id" : "31d1e959-cc17-49ee-93ef-9584c4e2eaf9",
"type" : "detection",
"updated_by" : "XXX",
"version" : 1
},
"type" : "exception-list",
"references" : [ ],
"namespace" : "XXX",
"migrationVersion" : {
"exception-list" : "7.12.0"
},
"coreMigrationVersion" : "7.17.2",
"updated_at" : "2022-06-01T15:38:11.674Z"
}
},
{
"_index" : ".kibana_7.17.2_001",
"_type" : "_doc",
"_id" : "exception-list:0b8342a0-e277-11ec-87b0-a5d4c1d9b2c5",
"_score" : 2.1661859,
"_source" : {
"exception-list" : {
"created_at" : "2022-06-02T13:22:26.378Z",
"created_by" : "XXX",
"description" : "Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic.",
"immutable" : false,
"list_id" : "a1d95c57-503b-42f4-a5fe-fb64bc001406",
"list_type" : "list",
"name" : "Attempt to Disable IPTables or Firewall",
"os_types" : [ ],
"tags" : [ ],
"tie_breaker_id" : "55c8b276-4ab2-43ff-96e5-5354160669be",
"type" : "detection",
"updated_by" : "XXX",
"version" : 1
},
"type" : "exception-list",
"references" : [ ],
"migrationVersion" : {
"exception-list" : "7.12.0"
},
"coreMigrationVersion" : "7.17.2",
"updated_at" : "2022-06-02T13:22:26.384Z"
}
},
and so on...