[FR] Add missing logs-system.security* to applicable security rules

[mbudge]

Hi,

Good to see logs-system.security* has been added to more security rules.

The following are missing logs-system.security* but have winlogbeat-* meaning they have the correct data to work. This will allow us to enable these rules as it's still not possible to customise the pre-built elastic security rules. The high priority part of this FR is adding logs-system.security* where applicable.

Accessing Outlook Data Files
Attempted Private Key Access
Binary Content Copy via Cmd.exe
Command Shell Activity Started via RunDLL32
Encrypting Files with WinRar or 7z
Execution of Persistent Suspicious Program
Microsoft Build Engine Started by a Script Process
Microsoft Exchange Worker Spawning Suspicious Processes
Persistence via BITS Job Notify Cmdline
Persistence via Update Orchestrator Service Hijack
Potential Cookies Theft via Browser Debugging
Potential Modification of Accessibility Binaries
Process Activity via Compiled HTML File
Remote System Discovery Commands
Suspicious Execution from a Mounted Device
Suspicious Execution via Microsoft Office Add-Ins
Suspicious Execution via Scheduled Task
Suspicious Explorer Child Process
Suspicious WerFault Child Process
System Information Discovery via Windows Command Shell
System Service Discovery through built-in Windows Utilities
UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer
UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface
UAC Bypass via Windows Firewall Snap-In Hijack
Unusual Child Process of dns.exe
Unusual Parent Process for cmd.exe
Unusual Service Host Child Process - Childless Service
Windows Firewall Disabled via PowerShell
Windows Network Enumeration
Windows Script Executing PowerShell
Windows System Information Discovery

The following rules are missing logs-system.security and winlogbeat-* but will work.

Discovery of Internet Capabilities via Built-in Tools
Elastic Agent Service Terminated
Execution via Microsoft DotNet ClickOnce Host
File and Directory Permissions Modification
File or Directory Deletion Command
Mofcomp Activity
Potential Defense Evasion via CMSTP.exe
Potential Exploitation of an Unquoted Service Path Vulnerability
Service Path Modification via sc.exe
Suspicious Execution via MSIEXEC
Windows Account or Group Discovery
Windows System Network Connections Discovery
WMIC Remote Command
Account Discovery Command via SYSTEM Account

The following rules will work if process.name.caseless is added to the Fleet managed mappings.

Discovery of Internet Capabilities via Built-in Tools
Microsoft Build Engine Started by a Script Process
Query Registry using Built-in Tools

These rules should be tagged with sysmon or powershell so it's easier to exclude them.

Command Prompt Network Connection
Connection to Commonly Abused Free SSL Certificate Providers
Creation or Modification of a new GPO Scheduled Task or Service
DNS-over-HTTPS Enabled via Registry
First Time Seen Commonly Abused Remote Access Tool Execution
Incoming DCOM Lateral Movement with MMC
Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows
Incoming Execution via PowerShell Remoting
Incoming Execution via WinRM Remote Shell
InstallUtil Process Making Network Connections
Kerberos Traffic from Unusual Process
Mshta Making Network Connections