[New Rule] Adding DGA Rules from Advanced Analytic DGA Package (#3102)

* Adding DGA rules

* Adding references

* updated rule tags and queries

* Updating min stack version

* added logic to handle ml jobs

* added code comments for clarity

* removing subbed security docs folder

* added event dataset to queries for endpoint; updated note

* removed event dataset

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>

(cherry picked from commit a5a606e804)

detection_rules/integrations.py

@@ -335,7 +335,9 @@ def get_integration_schema_data(data, meta, package_integrations: dict) -> Gener
                 if integration is None:
                     # Use all fields from each dataset
                     for dataset in integrations_schemas[package][package_version]:
-                        schema.update(integrations_schemas[package][package_version][dataset])
+                        # ignore jobs from machine learning packages
+                        if dataset != "jobs":
+                            schema.update(integrations_schemas[package][package_version][dataset])
                 else:
                     if integration not in integrations_schemas[package][package_version]:
                         raise ValueError(f"Integration {integration} not found in package {package} "

detection_rules/rule.py

@@ -1127,16 +1127,18 @@ class TOMLRuleContents(BaseRuleContents, MarshmallowDataclassMixin):
             elif isinstance(node, FieldComparison) and str(node.field) == 'event.dataset':
                 datasets.update(set(str(n) for n in node if isinstance(n, kql.ast.Value)))
 
-        if not datasets:
-            # windows and endpoint integration do not have event.dataset fields in queries
-            # integration is None to remove duplicate references upstream in Kibana
-            rule_integrations = meta.get("integration", [])
-            if rule_integrations:
-                for integration in rule_integrations:
-                    ineligible_integrations = definitions.NON_DATASET_PACKAGES + \
-                        [*map(str.lower, definitions.MACHINE_LEARNING_PACKAGES)]
-                    if integration in ineligible_integrations or isinstance(data, MachineLearningRuleData):
-                        packaged_integrations.append({"package": integration, "integration": None})
+        # integration is None to remove duplicate references upstream in Kibana
+        # chronologically, event.dataset is checked for package:integration, then rule tags
+        # if both exist, rule tags are only used if defined in definitions for non-dataset packages
+        # of machine learning analytic packages
+
+        rule_integrations = meta.get("integration", [])
+        if rule_integrations:
+            for integration in rule_integrations:
+                ineligible_integrations = definitions.NON_DATASET_PACKAGES + \
+                    [*map(str.lower, definitions.MACHINE_LEARNING_PACKAGES)]
+                if integration in ineligible_integrations or isinstance(data, MachineLearningRuleData):
+                    packaged_integrations.append({"package": integration, "integration": None})
 
         for value in sorted(datasets):
             integration = 'Unknown'

rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml

@@ -0,0 +1,65 @@
+[metadata]
+creation_date = "2023/09/14"
+integration = ["dga","endpoint","network_traffic"]
+maturity = "production"
+min_stack_comments = "DGA package job ID and rule removal updates"
+min_stack_version = "8.9.0"
+updated_date = "2023/10/16"
+
+[rule]
+author = ["Elastic"]
+description = """
+A supervised machine learning model has identified a DNS question name that used by the SUNBURST malware and is
+predicted to be the result of a Domain Generation Algorithm.
+"""
+from = "now-10m"
+index = ["logs-endpoint.events.*", "logs-network_traffic.*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Machine Learning Detected DGA activity using a known SUNBURST DNS domain"
+note = """## Setup
+
+The Domain Generation Algorithm (DGA) integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.
+"""
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/dga"
+]
+risk_score = 99
+rule_id = "bcaa15ce-2d41-44d7-a322-918f9db77766"
+severity = "critical"
+tags = [
+    "Domain: Network",
+    "Domain: Endpoint",
+    "Data Source: Elastic Defend",
+    "Use Case: Domain Generation Algorithm Detection",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+    "Tactic: Command and Control",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+ml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.com
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1568"
+name = "Dynamic Resolution"
+reference = "https://attack.mitre.org/techniques/T1568/"
+[[rule.threat.technique.subtechnique]]
+id = "T1568.002"
+name = "Domain Generation Algorithms"
+reference = "https://attack.mitre.org/techniques/T1568/002/"
+
+
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+

rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml

@@ -0,0 +1,52 @@
+[metadata]
+creation_date = "2023/09/14"
+integration = ["dga","endpoint","network_traffic"]
+maturity = "production"
+min_stack_comments = "DGA package job ID and rule removal updates"
+min_stack_version = "8.9.0"
+updated_date = "2023/10/16"
+
+[rule]
+anomaly_threshold = 70
+author = ["Elastic"]
+description = """
+A population analysis machine learning job detected potential DGA (domain generation algorithm) activity. Such activity
+is often used by malware command and control (C2) channels. This machine learning job looks for a source IP address
+making DNS requests that have an aggregate high probability of being DGA activity.
+"""
+from = "now-45m"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "dga_high_sum_probability"
+name = "Potential DGA Activity"
+note = """## Setup
+
+The Domain Generation Algorithm (DGA) integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.
+"""
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/dga"
+]
+risk_score = 21
+rule_id = "ff0d807d-869b-4a0d-a493-52bc46d2f1b1"
+severity = "low"
+tags = [
+    "Use Case: Domain Generation Algorithm Detection",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+    "Tactic: Command and Control",
+]
+type = "machine_learning"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1568"
+name = "Dynamic Resolution"
+reference = "https://attack.mitre.org/techniques/T1568/"
+
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+

rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml

@@ -0,0 +1,65 @@
+[metadata]
+creation_date = "2023/09/14"
+integration = ["dga","endpoint","network_traffic"]
+maturity = "production"
+min_stack_comments = "DGA package job ID and rule removal updates"
+min_stack_version = "8.9.0"
+updated_date = "2023/10/16"
+
+[rule]
+author = ["Elastic"]
+description = """
+A supervised machine learning model has identified a DNS question name with a high probability of sourcing from a Domain
+Generation Algorithm (DGA), which could indicate command and control network activity.
+"""
+from = "now-10m"
+index = ["logs-endpoint.events.*", "logs-network_traffic.*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Machine Learning Detected a DNS Request With a High DGA Probability Score"
+note = """## Setup
+
+The Domain Generation Algorithm (DGA) integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.
+"""
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/dga"
+]
+risk_score = 21
+rule_id = "da7f5803-1cd4-42fd-a890-0173ae80ac69"
+severity = "low"
+tags = [
+    "Domain: Network",
+    "Domain: Endpoint",
+    "Data Source: Elastic Defend",
+    "Use Case: Domain Generation Algorithm Detection",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+    "Tactic: Command and Control",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+ml_is_dga.malicious_probability > 0.98
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1568"
+name = "Dynamic Resolution"
+reference = "https://attack.mitre.org/techniques/T1568/"
+[[rule.threat.technique.subtechnique]]
+id = "T1568.002"
+name = "Domain Generation Algorithms"
+reference = "https://attack.mitre.org/techniques/T1568/002/"
+
+
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+

rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml

@@ -0,0 +1,65 @@
+[metadata]
+creation_date = "2023/09/14"
+integration = ["dga","endpoint","network_traffic"]
+maturity = "production"
+min_stack_comments = "DGA package job ID and rule removal updates"
+min_stack_version = "8.9.0"
+updated_date = "2023/10/16"
+
+[rule]
+author = ["Elastic"]
+description = """
+A supervised machine learning model has identified a DNS question name that is predicted to be the result of a Domain
+Generation Algorithm (DGA), which could indicate command and control network activity.
+"""
+from = "now-10m"
+index = ["logs-endpoint.events.*", "logs-network_traffic.*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Machine Learning Detected a DNS Request Predicted to be a DGA Domain"
+note = """## Setup
+
+The Domain Generation Algorithm (DGA) integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.
+"""
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/dga"
+]
+risk_score = 21
+rule_id = "f3403393-1fd9-4686-8f6e-596c58bc00b4"
+severity = "low"
+tags = [
+    "Domain: Network",
+    "Domain: Endpoint",
+    "Data Source: Elastic Defend",
+    "Use Case: Domain Generation Algorithm Detection",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+    "Tactic: Command and Control",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+ml_is_dga.malicious_prediction:1 and not dns.question.registered_domain:avsvmcloud.com
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1568"
+name = "Dynamic Resolution"
+reference = "https://attack.mitre.org/techniques/T1568/"
+[[rule.threat.technique.subtechnique]]
+id = "T1568.002"
+name = "Domain Generation Algorithms"
+reference = "https://attack.mitre.org/techniques/T1568/002/"
+
+
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+