Adding setup templates to the ML rules (#3798)
* Added setup instructions for ml rules
This commit is contained in:
Kirti Sodhi
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/07/13"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 50
|
||||
@@ -23,6 +23,27 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = "high_distinct_count_error_message"
|
||||
name = "Spike in AWS Error Messages"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from AWS.
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### AWS Integration Setup
|
||||
The AWS integration allows you to collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "aws" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “AWS” and select the integration to see more details about it.
|
||||
- Click “Add AWS”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “aws” to an existing or a new agent policy, and deploy the agent on your system from which aws log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/aws).
|
||||
"""
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating Spike in AWS Error Messages
|
||||
@@ -76,10 +97,6 @@ This rule uses a machine learning job to detect a significant spike in the rate
|
||||
- Take the actions needed to return affected systems, data, or services to their normal operational levels.
|
||||
- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
|
||||
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
|
||||
|
||||
## Setup
|
||||
|
||||
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
|
||||
"""
|
||||
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
|
||||
risk_score = 21
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/07/13"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 50
|
||||
@@ -23,6 +23,27 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = "rare_error_code"
|
||||
name = "Rare AWS Error Code"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from AWS.
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### AWS Integration Setup
|
||||
The AWS integration allows you to collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "aws" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “AWS” and select the integration to see more details about it.
|
||||
- Click “Add AWS”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “aws” to an existing or a new agent policy, and deploy the agent on your system from which aws log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/aws).
|
||||
"""
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating Rare AWS Error Code
|
||||
@@ -78,10 +99,6 @@ Detection alerts from this rule indicate a rare and unusual error code that was
|
||||
- Take the actions needed to return affected systems, data, or services to their normal operational levels.
|
||||
- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
|
||||
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
|
||||
|
||||
## Setup
|
||||
|
||||
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
|
||||
"""
|
||||
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
|
||||
risk_score = 21
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/07/13"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 50
|
||||
@@ -24,6 +24,27 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = "rare_method_for_a_city"
|
||||
name = "Unusual City For an AWS Command"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from AWS.
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### AWS Integration Setup
|
||||
The AWS integration allows you to collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "aws" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “AWS” and select the integration to see more details about it.
|
||||
- Click “Add AWS”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “aws” to an existing or a new agent policy, and deploy the agent on your system from which aws log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/aws).
|
||||
"""
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating Unusual City For an AWS Command
|
||||
@@ -80,10 +101,6 @@ Detection alerts from this rule indicate an AWS API command or method call that
|
||||
- Take the actions needed to return affected systems, data, or services to their normal operational levels.
|
||||
- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
|
||||
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
|
||||
|
||||
## Setup
|
||||
|
||||
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
|
||||
"""
|
||||
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
|
||||
risk_score = 21
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/07/13"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 50
|
||||
@@ -24,6 +24,27 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = "rare_method_for_a_country"
|
||||
name = "Unusual Country For an AWS Command"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from AWS.
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### AWS Integration Setup
|
||||
The AWS integration allows you to collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "aws" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “AWS” and select the integration to see more details about it.
|
||||
- Click “Add AWS”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “aws” to an existing or a new agent policy, and deploy the agent on your system from which aws log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/aws).
|
||||
"""
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating Unusual Country For an AWS Command
|
||||
@@ -80,10 +101,6 @@ Detection alerts from this rule indicate an AWS API command or method call that
|
||||
- Take the actions needed to return affected systems, data, or services to their normal operational levels.
|
||||
- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
|
||||
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
|
||||
|
||||
## Setup
|
||||
|
||||
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
|
||||
"""
|
||||
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
|
||||
risk_score = 21
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/07/13"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 75
|
||||
@@ -23,6 +23,27 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = "rare_method_for_a_username"
|
||||
name = "Unusual AWS Command for a User"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from AWS.
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### AWS Integration Setup
|
||||
The AWS integration allows you to collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "aws" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “AWS” and select the integration to see more details about it.
|
||||
- Click “Add AWS”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “aws” to an existing or a new agent policy, and deploy the agent on your system from which aws log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/aws).
|
||||
"""
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating Unusual AWS Command for a User
|
||||
@@ -78,10 +99,6 @@ Detection alerts from this rule indicate an AWS API command or method call that
|
||||
- Take the actions needed to return affected systems, data, or services to their normal operational levels.
|
||||
- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
|
||||
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
|
||||
|
||||
## Setup
|
||||
|
||||
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
|
||||
"""
|
||||
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
|
||||
risk_score = 21
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/03/25"
|
||||
integration = ["endpoint", "network_traffic"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 50
|
||||
@@ -24,6 +24,50 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = "packetbeat_dns_tunneling"
|
||||
name = "DNS Tunneling"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Network Packet Capture
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Network Packet Capture Integration Setup
|
||||
The Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment — ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "network_traffic" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Network Packet Capture” and select the integration to see more details about it.
|
||||
- Click “Add Network Packet Capture”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “network_traffic” to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic).
|
||||
"""
|
||||
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
|
||||
risk_score = 21
|
||||
rule_id = "91f02f01-969f-4167-8f66-07827ac3bdd9"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/03/25"
|
||||
integration = ["endpoint", "network_traffic"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 50
|
||||
@@ -27,6 +27,50 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = "packetbeat_rare_dns_question"
|
||||
name = "Unusual DNS Activity"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Network Packet Capture
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Network Packet Capture Integration Setup
|
||||
The Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment — ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "network_traffic" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Network Packet Capture” and select the integration to see more details about it.
|
||||
- Click “Add Network Packet Capture”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “network_traffic” to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic).
|
||||
"""
|
||||
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
|
||||
risk_score = 21
|
||||
rule_id = "746edc4c-c54c-49c6-97a1-651223819448"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/03/25"
|
||||
integration = ["endpoint", "network_traffic"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 50
|
||||
@@ -30,6 +30,50 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = "packetbeat_rare_urls"
|
||||
name = "Unusual Web Request"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Network Packet Capture
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Network Packet Capture Integration Setup
|
||||
The Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment — ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "network_traffic" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Network Packet Capture” and select the integration to see more details about it.
|
||||
- Click “Add Network Packet Capture”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “network_traffic” to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic).
|
||||
"""
|
||||
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
|
||||
risk_score = 21
|
||||
rule_id = "91f02f01-969f-4167-8f55-07827ac3acc9"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/03/25"
|
||||
integration = ["endpoint", "network_traffic"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 50
|
||||
@@ -28,6 +28,50 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = "packetbeat_rare_user_agent"
|
||||
name = "Unusual Web User Agent"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Network Packet Capture
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Network Packet Capture Integration Setup
|
||||
The Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment — ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "network_traffic" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Network Packet Capture” and select the integration to see more details about it.
|
||||
- Click “Add Network Packet Capture”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “network_traffic” to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic).
|
||||
"""
|
||||
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
|
||||
risk_score = 21
|
||||
rule_id = "91f02f01-969f-4167-8d77-07827ac4cee0"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2021/06/10"
|
||||
integration = ["auditd_manager", "endpoint", "system"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 75
|
||||
@@ -23,6 +23,70 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = "auth_high_count_logon_fails"
|
||||
name = "Spike in Failed Logon Events"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditd Manager
|
||||
- System
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditd Manager Integration Setup
|
||||
The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.
|
||||
Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.
|
||||
- Click “Add Auditd Manager”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
|
||||
|
||||
#### Rule Specific Setup Note
|
||||
Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.
|
||||
However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
|
||||
- For this detection rule no additional audit rules are required.
|
||||
|
||||
### System Integration Setup
|
||||
The System integration allows you to collect system logs and metrics from your servers with Elastic Agent.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "system" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “System” and select the integration to see more details about it.
|
||||
- Click “Add System”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “system” to an existing or a new agent policy, and deploy the agent on your system from which system log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/system).
|
||||
"""
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating Spike in Failed Logon Events
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2021/06/10"
|
||||
integration = ["auditd_manager", "endpoint", "system"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 75
|
||||
@@ -22,6 +22,70 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = "auth_high_count_logon_events"
|
||||
name = "Spike in Logon Events"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditd Manager
|
||||
- System
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditd Manager Integration Setup
|
||||
The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.
|
||||
Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.
|
||||
- Click “Add Auditd Manager”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
|
||||
|
||||
#### Rule Specific Setup Note
|
||||
Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.
|
||||
However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
|
||||
- For this detection rule no additional audit rules are required.
|
||||
|
||||
### System Integration Setup
|
||||
The System integration allows you to collect system logs and metrics from your servers with Elastic Agent.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "system" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “System” and select the integration to see more details about it.
|
||||
- Click “Add System”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “system” to an existing or a new agent policy, and deploy the agent on your system from which system log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/system).
|
||||
"""
|
||||
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
|
||||
risk_score = 21
|
||||
rule_id = "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2021/06/10"
|
||||
integration = ["auditd_manager", "endpoint", "system"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 75
|
||||
@@ -22,6 +22,70 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = "auth_high_count_logon_events_for_a_source_ip"
|
||||
name = "Spike in Successful Logon Events from a Source IP"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditd Manager
|
||||
- System
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditd Manager Integration Setup
|
||||
The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.
|
||||
Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.
|
||||
- Click “Add Auditd Manager”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
|
||||
|
||||
#### Rule Specific Setup Note
|
||||
Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.
|
||||
However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
|
||||
- For this detection rule no additional audit rules are required.
|
||||
|
||||
### System Integration Setup
|
||||
The System integration allows you to collect system logs and metrics from your servers with Elastic Agent.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "system" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “System” and select the integration to see more details about it.
|
||||
- Click “Add System”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “system” to an existing or a new agent policy, and deploy the agent on your system from which system log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/system).
|
||||
"""
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating Spike in Successful Logon Events from a Source IP
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/09/22"
|
||||
integration = ["auditd_manager", "endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 50
|
||||
@@ -22,6 +22,56 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = ["v3_linux_rare_metadata_process"]
|
||||
name = "Unusual Linux Process Calling the Metadata Service"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditd Manager
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditd Manager Integration Setup
|
||||
The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.
|
||||
Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.
|
||||
- Click “Add Auditd Manager”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
|
||||
|
||||
#### Rule Specific Setup Note
|
||||
Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.
|
||||
However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
|
||||
- For this detection rule no additional audit rules are required.
|
||||
"""
|
||||
risk_score = 21
|
||||
rule_id = "9d302377-d226-4e12-b54c-1906b5aec4f6"
|
||||
severity = "low"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/09/22"
|
||||
integration = ["auditd_manager", "endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 75
|
||||
@@ -22,6 +22,56 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = ["v3_linux_rare_metadata_user"]
|
||||
name = "Unusual Linux User Calling the Metadata Service"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditd Manager
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditd Manager Integration Setup
|
||||
The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.
|
||||
Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.
|
||||
- Click “Add Auditd Manager”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
|
||||
|
||||
#### Rule Specific Setup Note
|
||||
Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.
|
||||
However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
|
||||
- For this detection rule no additional audit rules are required.
|
||||
"""
|
||||
risk_score = 21
|
||||
rule_id = "1faec04b-d902-4f89-8aff-92cd9043c16f"
|
||||
severity = "low"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/03/25"
|
||||
integration = ["auditd_manager", "endpoint", "system"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 50
|
||||
@@ -19,6 +19,70 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = "suspicious_login_activity"
|
||||
name = "Unusual Login Activity"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditd Manager
|
||||
- System
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditd Manager Integration Setup
|
||||
The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.
|
||||
Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.
|
||||
- Click “Add Auditd Manager”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
|
||||
|
||||
#### Rule Specific Setup Note
|
||||
Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.
|
||||
However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
|
||||
- For this detection rule no additional audit rules are required.
|
||||
|
||||
### System Integration Setup
|
||||
The System integration allows you to collect system logs and metrics from your servers with Elastic Agent.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "system" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “System” and select the integration to see more details about it.
|
||||
- Click “Add System”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “system” to an existing or a new agent policy, and deploy the agent on your system from which system log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/system).
|
||||
"""
|
||||
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
|
||||
risk_score = 21
|
||||
rule_id = "4330272b-9724-4bc6-a3ca-f1532b81e5c2"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/09/22"
|
||||
integration = ["endpoint", "windows"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 50
|
||||
@@ -22,6 +22,50 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = ["v3_windows_rare_metadata_process"]
|
||||
name = "Unusual Windows Process Calling the Metadata Service"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Windows
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Windows Integration Setup
|
||||
The Windows integration allows you to monitor the Windows OS, services, applications, and more.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Windows” and select the integration to see more details about it.
|
||||
- Click “Add Windows”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).
|
||||
"""
|
||||
risk_score = 21
|
||||
rule_id = "abae61a8-c560-4dbd-acca-1e1438bff36b"
|
||||
severity = "low"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/09/22"
|
||||
integration = ["endpoint", "windows"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 75
|
||||
@@ -22,6 +22,50 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = ["v3_windows_rare_metadata_user"]
|
||||
name = "Unusual Windows User Calling the Metadata Service"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Windows
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Windows Integration Setup
|
||||
The Windows integration allows you to monitor the Windows OS, services, applications, and more.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Windows” and select the integration to see more details about it.
|
||||
- Click “Add Windows”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).
|
||||
"""
|
||||
risk_score = 21
|
||||
rule_id = "df197323-72a8-46a9-a08e-3f5b04a4a97a"
|
||||
severity = "low"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/09/03"
|
||||
integration = ["auditd_manager", "endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 75
|
||||
@@ -24,6 +24,56 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = ["v3_linux_system_information_discovery"]
|
||||
name = "Unusual Linux System Information Discovery Activity"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditd Manager
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditd Manager Integration Setup
|
||||
The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.
|
||||
Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.
|
||||
- Click “Add Auditd Manager”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
|
||||
|
||||
#### Rule Specific Setup Note
|
||||
Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.
|
||||
However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
|
||||
- For this detection rule no additional audit rules are required.
|
||||
"""
|
||||
risk_score = 21
|
||||
rule_id = "d4af3a06-1e0a-48ec-b96a-faf2309fae46"
|
||||
severity = "low"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/09/03"
|
||||
integration = ["auditd_manager", "endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 25
|
||||
@@ -24,6 +24,56 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = ["v3_linux_network_configuration_discovery"]
|
||||
name = "Unusual Linux Network Configuration Discovery"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditd Manager
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditd Manager Integration Setup
|
||||
The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.
|
||||
Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.
|
||||
- Click “Add Auditd Manager”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
|
||||
|
||||
#### Rule Specific Setup Note
|
||||
Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.
|
||||
However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
|
||||
- For this detection rule no additional audit rules are required.
|
||||
"""
|
||||
risk_score = 21
|
||||
rule_id = "f9590f47-6bd5-4a49-bd49-a2f886476fb9"
|
||||
severity = "low"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/09/03"
|
||||
integration = ["auditd_manager", "endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 25
|
||||
@@ -24,6 +24,56 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = ["v3_linux_network_connection_discovery"]
|
||||
name = "Unusual Linux Network Connection Discovery"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditd Manager
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditd Manager Integration Setup
|
||||
The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.
|
||||
Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.
|
||||
- Click “Add Auditd Manager”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
|
||||
|
||||
#### Rule Specific Setup Note
|
||||
Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.
|
||||
However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
|
||||
- For this detection rule no additional audit rules are required.
|
||||
"""
|
||||
risk_score = 21
|
||||
rule_id = "c28c4d8c-f014-40ef-88b6-79a1d67cd499"
|
||||
severity = "low"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/09/03"
|
||||
integration = ["auditd_manager", "endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 50
|
||||
@@ -24,6 +24,56 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = ["v3_linux_system_process_discovery"]
|
||||
name = "Unusual Linux Process Discovery Activity"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditd Manager
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditd Manager Integration Setup
|
||||
The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.
|
||||
Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.
|
||||
- Click “Add Auditd Manager”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
|
||||
|
||||
#### Rule Specific Setup Note
|
||||
Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.
|
||||
However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
|
||||
- For this detection rule no additional audit rules are required.
|
||||
"""
|
||||
risk_score = 21
|
||||
rule_id = "5c983105-4681-46c3-9890-0c66d05e776b"
|
||||
severity = "low"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/09/03"
|
||||
integration = ["auditd_manager", "endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 75
|
||||
@@ -24,6 +24,56 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = ["v3_linux_system_user_discovery"]
|
||||
name = "Unusual Linux User Discovery Activity"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditd Manager
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditd Manager Integration Setup
|
||||
The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.
|
||||
Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.
|
||||
- Click “Add Auditd Manager”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
|
||||
|
||||
#### Rule Specific Setup Note
|
||||
Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.
|
||||
However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
|
||||
- For this detection rule no additional audit rules are required.
|
||||
"""
|
||||
risk_score = 21
|
||||
rule_id = "59756272-1998-4b8c-be14-e287035c4d10"
|
||||
severity = "low"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/03/25"
|
||||
integration = ["endpoint", "windows"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 50
|
||||
@@ -22,6 +22,50 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = ["v3_windows_anomalous_script"]
|
||||
name = "Suspicious Powershell Script"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Windows
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Windows Integration Setup
|
||||
The Windows integration allows you to monitor the Windows OS, services, applications, and more.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Windows” and select the integration to see more details about it.
|
||||
- Click “Add Windows”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).
|
||||
"""
|
||||
references = [
|
||||
"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
|
||||
"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration",
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2021/06/10"
|
||||
integration = ["auditd_manager", "endpoint", "system"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 75
|
||||
@@ -18,6 +18,70 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = "auth_rare_hour_for_a_user"
|
||||
name = "Unusual Hour for a User to Logon"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditd Manager
|
||||
- System
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditd Manager Integration Setup
|
||||
The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.
|
||||
Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.
|
||||
- Click “Add Auditd Manager”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
|
||||
|
||||
#### Rule Specific Setup Note
|
||||
Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.
|
||||
However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
|
||||
- For this detection rule no additional audit rules are required.
|
||||
|
||||
### System Integration Setup
|
||||
The System integration allows you to collect system logs and metrics from your servers with Elastic Agent.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "system" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “System” and select the integration to see more details about it.
|
||||
- Click “Add System”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “system” to an existing or a new agent policy, and deploy the agent on your system from which system log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/system).
|
||||
"""
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating Unusual Hour for a User to Logon
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2021/06/10"
|
||||
integration = ["auditd_manager", "endpoint", "system"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 75
|
||||
@@ -19,6 +19,70 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = "auth_rare_source_ip_for_a_user"
|
||||
name = "Unusual Source IP for a User to Logon from"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditd Manager
|
||||
- System
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditd Manager Integration Setup
|
||||
The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.
|
||||
Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.
|
||||
- Click “Add Auditd Manager”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
|
||||
|
||||
#### Rule Specific Setup Note
|
||||
Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.
|
||||
However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
|
||||
- For this detection rule no additional audit rules are required.
|
||||
|
||||
### System Integration Setup
|
||||
The System integration allows you to collect system logs and metrics from your servers with Elastic Agent.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "system" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “System” and select the integration to see more details about it.
|
||||
- Click “Add System”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “system” to an existing or a new agent policy, and deploy the agent on your system from which system log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/system).
|
||||
"""
|
||||
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
|
||||
risk_score = 21
|
||||
rule_id = "d4b73fa0-9d43-465e-b8bf-50230da6718b"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2021/06/10"
|
||||
integration = ["auditd_manager", "endpoint", "system"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 75
|
||||
@@ -25,6 +25,70 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = "auth_rare_user"
|
||||
name = "Rare User Logon"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditd Manager
|
||||
- System
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditd Manager Integration Setup
|
||||
The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.
|
||||
Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.
|
||||
- Click “Add Auditd Manager”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
|
||||
|
||||
#### Rule Specific Setup Note
|
||||
Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.
|
||||
However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
|
||||
- For this detection rule no additional audit rules are required.
|
||||
|
||||
### System Integration Setup
|
||||
The System integration allows you to collect system logs and metrics from your servers with Elastic Agent.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "system" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “System” and select the integration to see more details about it.
|
||||
- Click “Add System”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “system” to an existing or a new agent policy, and deploy the agent on your system from which system log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/system).
|
||||
"""
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating Rare User Logon
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/03/25"
|
||||
integration = ["auditd_manager", "endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 50
|
||||
@@ -28,6 +28,56 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = ["v3_linux_anomalous_user_name"]
|
||||
name = "Unusual Linux Username"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditd Manager
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditd Manager Integration Setup
|
||||
The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.
|
||||
Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.
|
||||
- Click “Add Auditd Manager”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
|
||||
|
||||
#### Rule Specific Setup Note
|
||||
Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.
|
||||
However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
|
||||
- For this detection rule no additional audit rules are required.
|
||||
"""
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating an Unusual Linux User
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/03/25"
|
||||
integration = ["endpoint", "windows"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 50
|
||||
@@ -28,6 +28,50 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = ["v3_windows_anomalous_user_name"]
|
||||
name = "Unusual Windows Username"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Windows
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Windows Integration Setup
|
||||
The Windows integration allows you to monitor the Windows OS, services, applications, and more.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Windows” and select the integration to see more details about it.
|
||||
- Click “Add Windows”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).
|
||||
"""
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating an Unusual Windows User
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/03/25"
|
||||
integration = ["endpoint", "windows"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 50
|
||||
@@ -23,6 +23,50 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = ["v3_windows_rare_user_type10_remote_login"]
|
||||
name = "Unusual Windows Remote User"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Windows
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Windows Integration Setup
|
||||
The Windows integration allows you to monitor the Windows OS, services, applications, and more.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Windows” and select the integration to see more details about it.
|
||||
- Click “Add Windows”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).
|
||||
"""
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating an Unusual Windows User
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2021/04/05"
|
||||
integration = ["endpoint", "network_traffic"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 75
|
||||
@@ -26,6 +26,50 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = "high_count_network_denies"
|
||||
name = "Spike in Firewall Denies"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Network Packet Capture
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Network Packet Capture Integration Setup
|
||||
The Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment — ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "network_traffic" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Network Packet Capture” and select the integration to see more details about it.
|
||||
- Click “Add Network Packet Capture”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “network_traffic” to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic).
|
||||
"""
|
||||
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
|
||||
risk_score = 21
|
||||
rule_id = "eaa77d63-9679-4ce3-be25-3ba8b795e5fa"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2021/04/05"
|
||||
integration = ["endpoint", "network_traffic"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 75
|
||||
@@ -25,6 +25,50 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = "high_count_network_events"
|
||||
name = "Spike in Network Traffic"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Network Packet Capture
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Network Packet Capture Integration Setup
|
||||
The Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment — ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "network_traffic" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Network Packet Capture” and select the integration to see more details about it.
|
||||
- Click “Add Network Packet Capture”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “network_traffic” to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic).
|
||||
"""
|
||||
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
|
||||
risk_score = 21
|
||||
rule_id = "b240bfb8-26b7-4e5e-924e-218144a3fa71"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/03/25"
|
||||
integration = ["auditd_manager", "endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 50
|
||||
@@ -19,6 +19,56 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = ["v3_linux_anomalous_network_activity"]
|
||||
name = "Unusual Linux Network Activity"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditd Manager
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditd Manager Integration Setup
|
||||
The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.
|
||||
Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.
|
||||
- Click “Add Auditd Manager”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
|
||||
|
||||
#### Rule Specific Setup Note
|
||||
Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.
|
||||
However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
|
||||
- For this detection rule no additional audit rules are required.
|
||||
"""
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating Unusual Network Activity
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/03/25"
|
||||
integration = ["auditd_manager", "endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 50
|
||||
@@ -18,6 +18,56 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = ["v3_linux_anomalous_network_port_activity"]
|
||||
name = "Unusual Linux Network Port Activity"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditd Manager
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditd Manager Integration Setup
|
||||
The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.
|
||||
Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.
|
||||
- Click “Add Auditd Manager”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
|
||||
|
||||
#### Rule Specific Setup Note
|
||||
Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.
|
||||
However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
|
||||
- For this detection rule no additional audit rules are required.
|
||||
"""
|
||||
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
|
||||
risk_score = 21
|
||||
rule_id = "3c7e32e6-6104-46d9-a06e-da0f8b5795a0"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/03/25"
|
||||
integration = ["auditd_manager", "endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 50
|
||||
@@ -27,6 +27,56 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = "packetbeat_rare_server_domain"
|
||||
name = "Unusual Network Destination Domain Name"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditd Manager
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditd Manager Integration Setup
|
||||
The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.
|
||||
Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.
|
||||
- Click “Add Auditd Manager”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
|
||||
|
||||
#### Rule Specific Setup Note
|
||||
Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.
|
||||
However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
|
||||
- For this detection rule no additional audit rules are required.
|
||||
"""
|
||||
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
|
||||
risk_score = 21
|
||||
rule_id = "17e68559-b274-4948-ad0b-f8415bb31126"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2021/04/05"
|
||||
integration = ["endpoint", "network_traffic"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 75
|
||||
@@ -29,6 +29,50 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = "rare_destination_country"
|
||||
name = "Network Traffic to Rare Destination Country"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Network Packet Capture
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Network Packet Capture Integration Setup
|
||||
The Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment — ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "network_traffic" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Network Packet Capture” and select the integration to see more details about it.
|
||||
- Click “Add Network Packet Capture”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “network_traffic” to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic).
|
||||
"""
|
||||
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
|
||||
risk_score = 21
|
||||
rule_id = "35f86980-1fb1-4dff-b311-3be941549c8d"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2021/04/05"
|
||||
integration = ["endpoint", "network_traffic"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 75
|
||||
@@ -27,6 +27,50 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = "high_count_by_destination_country"
|
||||
name = "Spike in Network Traffic To a Country"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Network Packet Capture
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Network Packet Capture Integration Setup
|
||||
The Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment — ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "network_traffic" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Network Packet Capture” and select the integration to see more details about it.
|
||||
- Click “Add Network Packet Capture”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “network_traffic” to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic).
|
||||
"""
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating Spike in Network Traffic To a Country
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/03/25"
|
||||
integration = ["endpoint", "windows"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 50
|
||||
@@ -20,6 +20,50 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = ["v3_windows_anomalous_network_activity"]
|
||||
name = "Unusual Windows Network Activity"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Windows
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Windows Integration Setup
|
||||
The Windows integration allows you to monitor the Windows OS, services, applications, and more.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Windows” and select the integration to see more details about it.
|
||||
- Click “Add Windows”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).
|
||||
"""
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating Unusual Network Activity
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/03/25"
|
||||
integration = ["auditd_manager", "endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 50
|
||||
@@ -23,6 +23,56 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = ["v3_linux_anomalous_process_all_hosts"]
|
||||
name = "Anomalous Process For a Linux Population"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditd Manager
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditd Manager Integration Setup
|
||||
The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.
|
||||
Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.
|
||||
- Click “Add Auditd Manager”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
|
||||
|
||||
#### Rule Specific Setup Note
|
||||
Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.
|
||||
However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
|
||||
- For this detection rule no additional audit rules are required.
|
||||
"""
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating Anomalous Process For a Linux Population
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/03/25"
|
||||
integration = ["auditd_manager", "endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 50
|
||||
@@ -23,6 +23,56 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = ["v3_rare_process_by_host_linux"]
|
||||
name = "Unusual Process For a Linux Host"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditd Manager
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditd Manager Integration Setup
|
||||
The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.
|
||||
Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.
|
||||
- Click “Add Auditd Manager”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
|
||||
|
||||
#### Rule Specific Setup Note
|
||||
Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.
|
||||
However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
|
||||
- For this detection rule no additional audit rules are required.
|
||||
"""
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating Unusual Process For a Linux Host
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/03/25"
|
||||
integration = ["endpoint", "windows"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[transform]
|
||||
[[transform.osquery]]
|
||||
@@ -49,6 +49,50 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = ["v3_rare_process_by_host_windows"]
|
||||
name = "Unusual Process For a Windows Host"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Windows
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Windows Integration Setup
|
||||
The Windows integration allows you to monitor the Windows OS, services, applications, and more.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Windows” and select the integration to see more details about it.
|
||||
- Click “Add Windows”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).
|
||||
"""
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating Unusual Process For a Windows Host
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/03/25"
|
||||
integration = ["endpoint", "windows"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 50
|
||||
@@ -25,6 +25,50 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = ["v3_windows_anomalous_path_activity"]
|
||||
name = "Unusual Windows Path Activity"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Windows
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Windows Integration Setup
|
||||
The Windows integration allows you to monitor the Windows OS, services, applications, and more.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Windows” and select the integration to see more details about it.
|
||||
- Click “Add Windows”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).
|
||||
"""
|
||||
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
|
||||
risk_score = 21
|
||||
rule_id = "445a342e-03fb-42d0-8656-0367eb2dead5"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/03/25"
|
||||
integration = ["endpoint", "windows"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[transform]
|
||||
[[transform.osquery]]
|
||||
@@ -49,6 +49,50 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = ["v3_windows_anomalous_process_all_hosts"]
|
||||
name = "Anomalous Process For a Windows Population"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Windows
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Windows Integration Setup
|
||||
The Windows integration allows you to monitor the Windows OS, services, applications, and more.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Windows” and select the integration to see more details about it.
|
||||
- Click “Add Windows”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).
|
||||
"""
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating Anomalous Process For a Windows Population
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/03/25"
|
||||
integration = ["endpoint", "windows"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[transform]
|
||||
[[transform.osquery]]
|
||||
@@ -52,6 +52,50 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = ["v3_windows_anomalous_process_creation"]
|
||||
name = "Anomalous Windows Process Creation"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Windows
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Windows Integration Setup
|
||||
The Windows integration allows you to monitor the Windows OS, services, applications, and more.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Windows” and select the integration to see more details about it.
|
||||
- Click “Add Windows”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).
|
||||
"""
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating Anomalous Windows Process Creation
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/03/25"
|
||||
integration = ["endpoint", "windows"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 50
|
||||
@@ -23,6 +23,50 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = ["v3_windows_anomalous_service"]
|
||||
name = "Unusual Windows Service"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Windows
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Windows Integration Setup
|
||||
The Windows integration allows you to monitor the Windows OS, services, applications, and more.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Windows” and select the integration to see more details about it.
|
||||
- Click “Add Windows”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).
|
||||
"""
|
||||
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
|
||||
risk_score = 21
|
||||
rule_id = "1781d055-5c66-4adf-9c71-fc0fa58338c7"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/09/03"
|
||||
integration = ["auditd_manager", "endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 75
|
||||
@@ -22,6 +22,56 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = ["v3_linux_rare_sudo_user"]
|
||||
name = "Unusual Sudo Activity"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditd Manager
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditd Manager Integration Setup
|
||||
The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.
|
||||
Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.
|
||||
- Click “Add Auditd Manager”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
|
||||
|
||||
#### Rule Specific Setup Note
|
||||
Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.
|
||||
However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
|
||||
- For this detection rule no additional audit rules are required.
|
||||
"""
|
||||
risk_score = 21
|
||||
rule_id = "1e9fc667-9ff1-4b33-9f40-fefca8537eb0"
|
||||
severity = "low"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/03/25"
|
||||
integration = ["endpoint", "windows"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 50
|
||||
@@ -23,6 +23,50 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = ["v3_windows_rare_user_runas_event"]
|
||||
name = "Unusual Windows User Privilege Elevation Activity"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Windows
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Windows Integration Setup
|
||||
The Windows integration allows you to monitor the Windows OS, services, applications, and more.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Windows” and select the integration to see more details about it.
|
||||
- Click “Add Windows”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).
|
||||
"""
|
||||
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
|
||||
risk_score = 21
|
||||
rule_id = "1781d055-5c66-4adf-9d82-fc0fa58449c8"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/09/03"
|
||||
integration = ["auditd_manager", "endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/18"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 50
|
||||
@@ -23,6 +23,56 @@ interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = ["v3_linux_rare_user_compiler"]
|
||||
name = "Anomalous Linux Compiler Activity"
|
||||
setup = """## Setup
|
||||
|
||||
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditd Manager
|
||||
|
||||
### Anomaly Detection Setup
|
||||
|
||||
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration to your system:
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditd Manager Integration Setup
|
||||
The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.
|
||||
Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system:
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.
|
||||
- Click “Add Auditd Manager”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
|
||||
|
||||
#### Rule Specific Setup Note
|
||||
Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.
|
||||
However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
|
||||
- For this detection rule no additional audit rules are required.
|
||||
"""
|
||||
risk_score = 21
|
||||
rule_id = "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530"
|
||||
severity = "low"
|
||||
|
||||
Reference in New Issue
Block a user