refactor(correlation): remove deprecated correlation rules and clean up group rules data

Author: mjabascal10

backend/src/main/resources/config/liquibase/data/20260209/utm_correlation_rules.sql

@@ -11960,7 +11960,6 @@ insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, r
 insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (703, 'Windows: Printer driver failed to load, possible remote code execution using PrinterNightmare exploit: CVE-2021-34527', 3, 2, 1, 'Lateral Movement', 'T1210 - Exploitation of Remote Services', 'Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.  Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program,  service, or within the operating system software or kernel itself to execute adversary-controlled code.  A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.', '["https://attack.mitre.org/techniques/T1210/"]', 'equals("log.eventCode", 808) && oneOf("log.severityLabel", ["Error", "error"])', '2026-02-09 16:57:30.092232', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
 insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (704, 'Windows: Potential DNS Tunneling via NsLookup', 3, 2, 1, 'Command and Control', 'T1071 - Application Layer Protocol', 'This rule identifies a large number of nslookup.exe executions with an explicit query type from the same host. This may indicate command and control activity utilizing the DNS protocol.', '["https://attack.mitre.org/tactics/TA0011/","https://attack.mitre.org/techniques/T1071/"]', 'contains("log.eventDataProcessName", "nslookup.exe") && regexMatch("log.message", "(-querytype=|-qt=|-q=|-type=)")', '2026-02-09 16:57:30.237296', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
 insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (705, 'Windows: Potential Credential Access via DuplicateHandle in LSASS', 3, 1, 2, 'Credential Access', 'T1003 - OS Credential Dumping', 'Identifies suspicious access to an LSASS handle via DuplicateHandle. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.', '["https://attack.mitre.org/tactics/TA0006/","https://attack.mitre.org/techniques/T1003/"]', 'equals("log.eventCode", 10) && contains("log.eventDataProcessName", "lsass.exe") && equals("log.eventDataGrantedAccess", "0x40") && regexMatch("log.eventDataCallTrace", "(UNKNOWN)")', '2026-02-09 16:57:30.612281', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
-', '2026-02-09 16:57:30.737828', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
 insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (708, 'Windows: Persistence via PowerShell profile', 2, 3, 1, 'Persistence', 'T1546.013 - Event Triggered Execution: PowerShell Profile', 'Identifies the creation or modification of a PowerShell profile. PowerShell profile is a script that is executed when PowerShell starts to customize the user environment, which can be abused by attackers to persist in a environment where PowerShell is common.', '["https://attack.mitre.org/tactics/TA0003/","https://attack.mitre.org/techniques/T1098/002/"]', 'regexMatch("log.eventDataProcessName", "(:\\Users\\(.+)\\Documents\\WindowsPowerShell\\|:\\Users\\(.+)\\Documents\\PowerShell\\|:\\Windows\\System32\\WindowsPowerShell\\)") && regexMatch("log.eventDataProcessName", "(profile.ps1|Microsoft.Powershell_profile.ps1)")', '2026-02-09 16:57:31.091997', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');
 insert into public.utm_correlation_rules (id, rule_name, rule_confidentiality, rule_integrity, rule_availability, rule_category, rule_technique, rule_description, rule_references_def, rule_definition_def, rule_last_update, rule_active, system_owner, rule_adversary, rule_deduplicate_by_def, rule_after_events_def, rule_group_by_def) values (710, 'Windows: Suspicious PrintSpooler Service Executable File Creation', 2, 3, 1, 'Privilege Escalation', 'T1068 - Exploitation for Privilege Escalation', 'Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE''s - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched', '["https://attack.mitre.org/tactics/TA0004/","https://attack.mitre.org/techniques/T1068/"]', '!regexMatch("log.file.path", "(\\Windows\\System32\\spool\\|:\\Windows\\Temp\\|:\\Users\\)") && contains("log.winlogEventDataProcessName", "spoolsv.exe")
 ', '2026-02-09 16:57:31.392689', true, false, 'origin', null, '[]', '["adversary.ip","adversary.user"]');