From 0095a800144fe4438f42de599e64de372bde68f4 Mon Sep 17 00:00:00 2001 From: Apoorva Joshi <30438249+ajosh0504@users.noreply.github.com> Date: Thu, 8 Apr 2021 09:34:47 -0700 Subject: [PATCH] Network rules for the 7.13 release (#1087) * Adding network rules for the 7.13 release * Adding rule guids * Update rules/ml/ml_high_count_network_denies.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/ml/ml_rare_destination_country.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/ml/ml_rare_destination_country.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/ml/ml_rare_destination_country.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/ml/ml_high_count_network_events.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/ml/ml_spike_in_traffic_to_a_country.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Minor changes Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> --- rules/ml/ml_high_count_network_denies.toml | 33 ++++++++++++++++ rules/ml/ml_high_count_network_events.toml | 33 ++++++++++++++++ rules/ml/ml_rare_destination_country.toml | 38 +++++++++++++++++++ .../ml/ml_spike_in_traffic_to_a_country.toml | 36 ++++++++++++++++++ 4 files changed, 140 insertions(+) create mode 100644 rules/ml/ml_high_count_network_denies.toml create mode 100644 rules/ml/ml_high_count_network_events.toml create mode 100644 rules/ml/ml_rare_destination_country.toml create mode 100644 rules/ml/ml_spike_in_traffic_to_a_country.toml diff --git a/rules/ml/ml_high_count_network_denies.toml b/rules/ml/ml_high_count_network_denies.toml new file mode 100644 index 000000000..d7f6fdbba --- /dev/null +++ b/rules/ml/ml_high_count_network_denies.toml @@ -0,0 +1,33 @@ +[metadata] +creation_date = "2021/04/05" +maturity = "production" +updated_date = "2021/04/05" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job detected an unusually large spike in network traffic that was +denied by network access control lists (ACLs) or firewall rules. Such a burst of denied traffic is usually caused by +either 1) a mis-configured application or firewall or 2) suspicious or malicious activity. +Unsuccessful attempts at network transit, in order to connect to command-and-control (C2), +or engage in data exfiltration, may produce a burst of failed connections. This could also +be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service +attacks or traffic floods may also produce such a surge in traffic. +""" +false_positives = [ + """ + A misconfgured network application or firewall may trigger this alert. Security scans or test cycles may trigger this alert. + """, +] +from = "now-30m" +interval = "15m" +license = "Elastic License" +machine_learning_job_id = "high-count-network-denies" +name = "Spike in Firewall Denies" +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "eaa77d63-9679-4ce3-be25-3ba8b795e5fa" +severity = "low" +tags = ["Elastic", "Network", "Threat Detection", "ML"] +type = "machine_learning" diff --git a/rules/ml/ml_high_count_network_events.toml b/rules/ml/ml_high_count_network_events.toml new file mode 100644 index 000000000..8f82e3aee --- /dev/null +++ b/rules/ml/ml_high_count_network_events.toml @@ -0,0 +1,33 @@ +[metadata] +creation_date = "2021/04/05" +maturity = "production" +updated_date = "2021/04/05" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job detected an unusually large spike in network traffic. Such a burst of traffic, +if not caused by a surge in business activity, can be due to suspicious or malicious activity. +Large-scale data exfiltration may produce a burst of network traffic; this could also be due to unusually +large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may +also produce such a surge in traffic. +""" +false_positives = [ + """ + Business workflows that occur very occasionally, and involve an unsual surge in network trafic, + can trigger this alert. A new business workflow or a surge in business activity may trigger this alert. + A misconfigured network application or firewall may trigger this alert. + """, +] +from = "now-30m" +interval = "15m" +license = "Elastic License" +machine_learning_job_id = "high-count-network-events" +name = "Spike in Network Traffic" +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "b240bfb8-26b7-4e5e-924e-218144a3fa71" +severity = "low" +tags = ["Elastic", "Network", "Threat Detection", "ML"] +type = "machine_learning" diff --git a/rules/ml/ml_rare_destination_country.toml b/rules/ml/ml_rare_destination_country.toml new file mode 100644 index 000000000..84559d6aa --- /dev/null +++ b/rules/ml/ml_rare_destination_country.toml @@ -0,0 +1,38 @@ +[metadata] +creation_date = "2021/04/05" +maturity = "production" +updated_date = "2021/04/05" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job detected a rare destination country name in the network logs. +This can be due to initial access, persistence, command-and-control, or exfiltration activity. +For example, when a user clicks on a link in a phishing email or opens a malicious document, +a request may be sent to download and run a payload from a server in a country which does not +normally appear in network traffic or business work-flows. Malware instances and persistence +mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, +which may be an unusual destination country for the source network. +""" +false_positives = [ + """ + Business workflows that occur very occasionally, and involve a business relationship with an + organization in a country that does not routinely appear in network events, can trigger this alert. + A new business workflow with an organization in a country with which no workflows previously + existed may trigger this alert - although the model will learn that the new destination country + is no longer anomalous as the activity becomes ongoing. Business travelers who roam to many + countries for brief periods may trigger this alert. + """, +] +from = "now-30m" +interval = "15m" +license = "Elastic License" +machine_learning_job_id = "rare-destination-country" +name = "Network Traffic to Rare Destination Country" +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "35f86980-1fb1-4dff-b311-3be941549c8d" +severity = "low" +tags = ["Elastic", "Network", "Threat Detection", "ML"] +type = "machine_learning" diff --git a/rules/ml/ml_spike_in_traffic_to_a_country.toml b/rules/ml/ml_spike_in_traffic_to_a_country.toml new file mode 100644 index 000000000..42a76680d --- /dev/null +++ b/rules/ml/ml_spike_in_traffic_to_a_country.toml @@ -0,0 +1,36 @@ +[metadata] +creation_date = "2021/04/05" +maturity = "production" +updated_date = "2021/04/05" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job detected an unusually large spike in network activity to one +destination country in the network logs. This could be due to unusually large amounts +of reconnaissance or enumeration traffic. Data exfiltration activity may also produce +such a surge in traffic to a destination country which does not normally appear in network +traffic or business work-flows. Malware instances and persistence mechanisms may communicate +with command-and-control (C2) infrastructure in their country of origin, which may be an +unusual destination country for the source network. +""" +false_positives = [ + """ + Business workflows that occur very occasionally, and involve an unusual surge in network traffic + to one destination country, can trigger this alert. A new business workflow or a surge in business + activity in a particular country may trigger this alert. Business travelers who roam to many + countries for brief periods may trigger this alert if they engage in volumetric network activity. + """, +] +from = "now-30m" +interval = "15m" +license = "Elastic License" +machine_learning_job_id = "high-count-by-destination-country" +name = "Spike in Network Traffic To a Country" +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "c7db5533-ca2a-41f6-a8b0-ee98abe0f573" +severity = "low" +tags = ["Elastic", "Network", "Threat Detection", "ML"] +type = "machine_learning"