From 0affb48b07b35179c8b7d599fa6c164734ba7f5f Mon Sep 17 00:00:00 2001 From: Craig Chamberlain Date: Mon, 28 Sep 2020 12:13:06 -0400 Subject: [PATCH] [New Rule] Unusual User Calling the Metadata Service [Linux] (#327) * Create ml_linux_anomalous_metadata_user.toml rule create * Update rules/ml/ml_linux_anomalous_metadata_user.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update ml_linux_anomalous_metadata_user.toml * Update ml_linux_anomalous_metadata_user.toml * Update rules/ml/ml_linux_anomalous_metadata_user.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> --- .../ml/ml_linux_anomalous_metadata_user.toml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/ml/ml_linux_anomalous_metadata_user.toml diff --git a/rules/ml/ml_linux_anomalous_metadata_user.toml b/rules/ml/ml_linux_anomalous_metadata_user.toml new file mode 100644 index 000000000..a53d0f6fe --- /dev/null +++ b/rules/ml/ml_linux_anomalous_metadata_user.toml @@ -0,0 +1,29 @@ +[metadata] +creation_date = "2020/09/22" +ecs_version = ["1.6.0"] +maturity = "production" +updated_date = "2020/09/22" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to +harvest credentials or user data scripts containing secrets. +""" +false_positives = [ + """ + A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection + rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule. + """, +] +from = "now-45m" +interval = "15m" +license = "Elastic License" +machine_learning_job_id = "linux_rare_metadata_user" +name = "Unusual Linux User Calling the Metadata Service" +risk_score = 21 +rule_id = "1faec04b-d902-4f89-8aff-92cd9043c16f" +severity = "low" +tags = ["Elastic", "Linux", "ML"] +type = "machine_learning"