Network rules for the 7.13 release (#1087)
* Adding network rules for the 7.13 release * Adding rule guids * Update rules/ml/ml_high_count_network_denies.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/ml/ml_rare_destination_country.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/ml/ml_rare_destination_country.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/ml/ml_rare_destination_country.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/ml/ml_high_count_network_events.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/ml/ml_spike_in_traffic_to_a_country.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Minor changes Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
This commit is contained in:
Apoorva Joshi
@@ -0,0 +1,33 @@
|
||||
[metadata]
|
||||
creation_date = "2021/04/05"
|
||||
maturity = "production"
|
||||
updated_date = "2021/04/05"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 75
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
A machine learning job detected an unusually large spike in network traffic that was
|
||||
denied by network access control lists (ACLs) or firewall rules. Such a burst of denied traffic is usually caused by
|
||||
either 1) a mis-configured application or firewall or 2) suspicious or malicious activity.
|
||||
Unsuccessful attempts at network transit, in order to connect to command-and-control (C2),
|
||||
or engage in data exfiltration, may produce a burst of failed connections. This could also
|
||||
be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service
|
||||
attacks or traffic floods may also produce such a surge in traffic.
|
||||
"""
|
||||
false_positives = [
|
||||
"""
|
||||
A misconfgured network application or firewall may trigger this alert. Security scans or test cycles may trigger this alert.
|
||||
""",
|
||||
]
|
||||
from = "now-30m"
|
||||
interval = "15m"
|
||||
license = "Elastic License"
|
||||
machine_learning_job_id = "high-count-network-denies"
|
||||
name = "Spike in Firewall Denies"
|
||||
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
|
||||
risk_score = 21
|
||||
rule_id = "eaa77d63-9679-4ce3-be25-3ba8b795e5fa"
|
||||
severity = "low"
|
||||
tags = ["Elastic", "Network", "Threat Detection", "ML"]
|
||||
type = "machine_learning"
|
||||
@@ -0,0 +1,33 @@
|
||||
[metadata]
|
||||
creation_date = "2021/04/05"
|
||||
maturity = "production"
|
||||
updated_date = "2021/04/05"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 75
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
A machine learning job detected an unusually large spike in network traffic. Such a burst of traffic,
|
||||
if not caused by a surge in business activity, can be due to suspicious or malicious activity.
|
||||
Large-scale data exfiltration may produce a burst of network traffic; this could also be due to unusually
|
||||
large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may
|
||||
also produce such a surge in traffic.
|
||||
"""
|
||||
false_positives = [
|
||||
"""
|
||||
Business workflows that occur very occasionally, and involve an unsual surge in network trafic,
|
||||
can trigger this alert. A new business workflow or a surge in business activity may trigger this alert.
|
||||
A misconfigured network application or firewall may trigger this alert.
|
||||
""",
|
||||
]
|
||||
from = "now-30m"
|
||||
interval = "15m"
|
||||
license = "Elastic License"
|
||||
machine_learning_job_id = "high-count-network-events"
|
||||
name = "Spike in Network Traffic"
|
||||
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
|
||||
risk_score = 21
|
||||
rule_id = "b240bfb8-26b7-4e5e-924e-218144a3fa71"
|
||||
severity = "low"
|
||||
tags = ["Elastic", "Network", "Threat Detection", "ML"]
|
||||
type = "machine_learning"
|
||||
@@ -0,0 +1,38 @@
|
||||
[metadata]
|
||||
creation_date = "2021/04/05"
|
||||
maturity = "production"
|
||||
updated_date = "2021/04/05"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 75
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
A machine learning job detected a rare destination country name in the network logs.
|
||||
This can be due to initial access, persistence, command-and-control, or exfiltration activity.
|
||||
For example, when a user clicks on a link in a phishing email or opens a malicious document,
|
||||
a request may be sent to download and run a payload from a server in a country which does not
|
||||
normally appear in network traffic or business work-flows. Malware instances and persistence
|
||||
mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin,
|
||||
which may be an unusual destination country for the source network.
|
||||
"""
|
||||
false_positives = [
|
||||
"""
|
||||
Business workflows that occur very occasionally, and involve a business relationship with an
|
||||
organization in a country that does not routinely appear in network events, can trigger this alert.
|
||||
A new business workflow with an organization in a country with which no workflows previously
|
||||
existed may trigger this alert - although the model will learn that the new destination country
|
||||
is no longer anomalous as the activity becomes ongoing. Business travelers who roam to many
|
||||
countries for brief periods may trigger this alert.
|
||||
""",
|
||||
]
|
||||
from = "now-30m"
|
||||
interval = "15m"
|
||||
license = "Elastic License"
|
||||
machine_learning_job_id = "rare-destination-country"
|
||||
name = "Network Traffic to Rare Destination Country"
|
||||
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
|
||||
risk_score = 21
|
||||
rule_id = "35f86980-1fb1-4dff-b311-3be941549c8d"
|
||||
severity = "low"
|
||||
tags = ["Elastic", "Network", "Threat Detection", "ML"]
|
||||
type = "machine_learning"
|
||||
@@ -0,0 +1,36 @@
|
||||
[metadata]
|
||||
creation_date = "2021/04/05"
|
||||
maturity = "production"
|
||||
updated_date = "2021/04/05"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 75
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
A machine learning job detected an unusually large spike in network activity to one
|
||||
destination country in the network logs. This could be due to unusually large amounts
|
||||
of reconnaissance or enumeration traffic. Data exfiltration activity may also produce
|
||||
such a surge in traffic to a destination country which does not normally appear in network
|
||||
traffic or business work-flows. Malware instances and persistence mechanisms may communicate
|
||||
with command-and-control (C2) infrastructure in their country of origin, which may be an
|
||||
unusual destination country for the source network.
|
||||
"""
|
||||
false_positives = [
|
||||
"""
|
||||
Business workflows that occur very occasionally, and involve an unusual surge in network traffic
|
||||
to one destination country, can trigger this alert. A new business workflow or a surge in business
|
||||
activity in a particular country may trigger this alert. Business travelers who roam to many
|
||||
countries for brief periods may trigger this alert if they engage in volumetric network activity.
|
||||
""",
|
||||
]
|
||||
from = "now-30m"
|
||||
interval = "15m"
|
||||
license = "Elastic License"
|
||||
machine_learning_job_id = "high-count-by-destination-country"
|
||||
name = "Spike in Network Traffic To a Country"
|
||||
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
|
||||
risk_score = 21
|
||||
rule_id = "c7db5533-ca2a-41f6-a8b0-ee98abe0f573"
|
||||
severity = "low"
|
||||
tags = ["Elastic", "Network", "Threat Detection", "ML"]
|
||||
type = "machine_learning"
|
||||
Reference in New Issue
Block a user