security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Moving docs to docs-dev

Browse Source
This commit is contained in:
traut
2025-03-06 16:27:26 +01:00
parent 7ce6aaf566
commit 75abb8d0b5
27 changed files with 0 additions and 1586 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/ATT&CK-coverage.md
-159
View File
@@ -1,159 +0,0 @@
# Rule coverage
ATT&CK navigator layer files are generated when a package is built with `make release` or
`python -m detection-rules`.This also means they can be downloaded from all successful builds.
These files can be used to pass to a custom navigator session. For convenience, the links are
generated below. You can also include multiple across tabs in a single session, though it is not
advisable to upload _all_ of them as it will likely overload your browsers resources.
## Current rule coverage
The source files for these links are regenerated with every successful merge to main. These represent
coverage from the state of rules in the `main` branch.
**Full coverage**: [![ATT&CK navigator coverage](https://img.shields.io/badge/ATT&CK-Navigator-red.svg)](https://ela.st/detection-rules-navigator-trade)
**Coverage by platform**: [navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-platforms.json&leave_site_dialog=false&tabs=false)
| other navigator links by rule attributes |
|------------------------------------------|
|[Elastic-detection-rules-indexes-](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-.alerts-security.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-apm-WILDCARD-transactionWILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-apm-WILDCARD-transactionWILDCARD.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-auditbeat-WILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-auditbeat-WILDCARD.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-endgame-WILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-endgame-WILDCARD.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-filebeat-WILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-filebeat-WILDCARD.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-logs-WILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-WILDCARD.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-logs-auditd_manager](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-auditd_manager.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-logs-aws](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-aws.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-logs-azure](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-azure.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-logs-azureWILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-azureWILDCARD.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-logs-cloud_defendWILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-cloud_defendWILDCARD.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-logs-crowdstrike](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-crowdstrike.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-logs-cyberarkpas](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-cyberarkpas.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-logs-endpoint](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-endpoint.events.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-logs-endpoint](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-endpoint.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-logs-endpointWILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-endpointWILDCARD.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-logs-fim](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-fim.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-logs-gcpWILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-gcpWILDCARD.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-logs-github](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-github.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-logs-google_workspaceWILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-google_workspaceWILDCARD.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-logs-jamf_protectWILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-jamf_protectWILDCARD.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-logs-kubernetes](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-kubernetes.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-logs-m365_defender](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-m365_defender.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-logs-network_traffic](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-network_traffic.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-logs-o365](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-o365.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-logs-o365WILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-o365WILDCARD.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-logs-okta](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-okta.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-logs-oktaWILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-oktaWILDCARD.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-logs-panw](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-panw.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-logs-sentinel_one_cloud_funnel](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-sentinel_one_cloud_funnel.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-logs-system](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-system.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-logs-windows](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-windows.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-metrics-WILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-metrics-WILDCARD.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-ml_beaconing](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-ml_beaconing.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-packetbeat-WILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-packetbeat-WILDCARD.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-traces-WILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-traces-WILDCARD.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-traces-apmWILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-traces-apmWILDCARD.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-winlogbeat-WILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-winlogbeat-WILDCARD.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-active-directory-monitoring](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-active-directory-monitoring.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-active-directory](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-active-directory.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-amazon-ec2](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-amazon-ec2.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-amazon-route53](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-amazon-route53.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-amazon-s3](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-amazon-s3.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-amazon-web-services](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-amazon-web-services.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-apm](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-apm.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-asset-visibility](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-asset-visibility.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-auditd-manager](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-auditd-manager.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-aws-cloudtrail](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-cloudtrail.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-aws-cloudwatch](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-cloudwatch.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-aws-ec2](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-ec2.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-aws-iam](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-iam.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-aws-kms](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-kms.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-aws-lambda](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-lambda.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-aws-rds](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-rds.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-aws-route53](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-route53.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-aws-s3](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-s3.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-aws-secrets-manager](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-secrets-manager.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-aws-service-quotas](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-service-quotas.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-aws-sign-in](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-sign-in.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-aws-signin](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-signin.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-aws-sns](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-sns.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-aws-sqs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-sqs.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-aws-ssm](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-ssm.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-aws-sts](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-sts.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-aws-systems-manager](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-systems-manager.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-aws](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-azure](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-azure.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-bbr](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-bbr.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-bpfdoor](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-bpfdoor.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-c2-beaconing-detection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-c2-beaconing-detection.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-cloud](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-cloud.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-cobalt-strike](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-cobalt-strike.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-collection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-collection.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-command-and-control](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-command-and-control.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-configuration-audit](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-configuration-audit.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-container](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-container.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-credential-access](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-credential-access.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-crowdstrike](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-crowdstrike.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-cyberark-pas](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-cyberark-pas.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-data-exfiltration-detection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-data-exfiltration-detection.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-defense-evasion](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-defense-evasion.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-discovery](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-discovery.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-domain-generation-algorithm-detection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-domain-generation-algorithm-detection.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-elastic-defend-for-containers](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-elastic-defend-for-containers.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-elastic-defend](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-elastic-defend.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-elastic-endgame](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-elastic-endgame.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-endpoint](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-endpoint.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-entra-id-sign-in](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-entra-id-sign-in.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-entra-id](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-entra-id.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-execution](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-execution.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-exfiltration](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-exfiltration.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-file-integrity-monitoring](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-file-integrity-monitoring.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-gcp](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-gcp.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-github](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-github.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-google-cloud-platform](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-google-cloud-platform.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-google-workspace](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-google-workspace.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-higher-order-rule](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-higher-order-rule.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-identity-and-access-audit](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-identity-and-access-audit.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-impact](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-impact.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-initial-access](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-initial-access.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-investigation-guide](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-investigation-guide.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-jamf-protect](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-jamf-protect.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-kubernetes](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-kubernetes.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-lateral-movement-detection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-lateral-movement-detection.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-lateral-movement](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-lateral-movement.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-lightning-framework](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-lightning-framework.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-linux](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-linux.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-living-off-the-land-attack-detection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-living-off-the-land-attack-detection.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-log-auditing](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-log-auditing.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-machine-learning](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-machine-learning.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-macos](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-macos.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-microsoft-365](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-365.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-microsoft-defender-for-endpoint](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-defender-for-endpoint.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-microsoft-entra-id](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-entra-id.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-ml](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-ml.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-network-security-monitoring](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-network-security-monitoring.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-network](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-network.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-okta](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-okta.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-orbit](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-orbit.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-pan-os](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-pan-os.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-persistence](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-persistence.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-powershell-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-powershell-logs.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-privilege-escalation](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-privilege-escalation.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-reconnaissance](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-reconnaissance.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-resource-development](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-resource-development.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-rootkit](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-rootkit.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-saas](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-saas.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-sentinelone](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-sentinelone.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-sysmon](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-sysmon.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-system](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-system.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-threat-detection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-threat-detection.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-triplecross](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-triplecross.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-ueba](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-ueba.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-vulnerability](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-vulnerability.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-windows](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-windows.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-zoom](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-zoom.json&leave_site_dialog=false&tabs=false)|
docs/custom-rules.md
-214
View File
@@ -1,214 +0,0 @@
# Custom Rules
A custom rule is any rule that is not maintained by Elastic under `rules/` or `rules_building_block`. These docs are intended
to show how to manage custom rules using this repository.
For more detailed breakdown and explanation of employing a detections-as-code approach, refer to the
[dac-reference](https://dac-reference.readthedocs.io/en/latest/index.html).
## Defining a custom rule config and directory structure
The simplest way to maintain custom rules alongside the existing prebuilt rules in the repo, is to decouple where the rules
are stored to minimize VCS conflicts and overlap. This is accomplished by defining a custom rules directory using a config file.
### Understanding the structure
```
custom-rules
├── _config.yaml
└── rules
├── example_rule_1.toml
├── example_rule_2.toml
└── etc
├── deprecated_rules.json
├── packages.yaml
├── stack-schema-map.yaml
├── test_config.yaml
└── version.lock.json
└── actions
├── action_1.toml
├── action_2.toml
└── action_connectors
├── action_connector_1.toml
└── action_connectors_2.toml
└── exceptions
├── exception_1.toml
└── exception_2.toml
```
This structure represents a portable set of custom rules. This is just an example, and the exact locations of the files
should be defined in the `_config.yaml` file. Refer to the details in the default
[_config.yaml](../detection_rules/etc/_config.yaml) for more information.
* deprecated_rules.json - tracks all deprecated rules (optional)
* packages.yaml - information for building packages (mostly optional, but the current version is required)
* stack-schema-map.yaml - a mapping of schemas for query validation
* test_config.yaml - a config file for testing (optional)
* version.lock.json - this tracks versioning for rules (optional depending on versioning strategy)
To initialize a custom rule directory, run `python -m detection_rules custom-rules setup-config <directory>`
### Defining a config
```yaml
rule_dirs:
- rules
files:
deprecated_rules: deprecated_rules.json
packages: packages.yaml
stack_schema_map: stack-schema-map.yaml
version_lock: version.lock.json
directories:
action_dir: actions
action_connector_dir: action_connectors
exception_dir: exceptions
```
Some notes:
* The paths in this file are relative to the custom rules directory (CUSTOM_RULES_DIR/)
* Refer to each original [source file](../detection_rules/etc/example_test_config.yaml) for purpose and proper formatting
* You can also add an optional `bbr_rules_dirs` section for custom BBR rules.
* To bypass using the version lock versioning strategy (version lock file) you can set the optional `bypass_version_lock` value to be `True`
* To normalize the capitalization KQL keywords in KQL rule queries one can use the optional `normalize_kql_keywords` value set to `True` or `False` as desired.
* To manage exceptions tied to rules one can set an exceptions directory using the optional `exception_dir` value (included above) set to be the desired path. If an exceptions directory is explicitly specified in a CLI command, the config value will be ignored.
* To manage action-connectors tied to rules one can set an action-connectors directory using the optional `action_connector_dir` value (included above) set to be the desired path. If an actions_connector directory is explicitly specified in a CLI command, the config value will be ignored.
* To turn on automatic schema generation for non-ecs fields via custom schemas add `auto_gen_schema_file: <path_to_your_json_file>`. This will generate a schema file in the specified location that will be used to add entries for each field and index combination that is not already in a known schema. This will also automatically add it to your stack-schema-map.yaml file when using a custom rules directory and config.
* For Kibana action items, currently these are included in the rule toml files themselves. At a later date, we may allow for bulk editing of rule action items through separate action toml files. The action_dir config key is left available for this later implementation. For now to bulk update, use the bulk actions add rule actions UI in Kibana.
* To on bulk disable elastic validation for optional fields, use the following line `bypass_optional_elastic_validation: True`.
When using the repo, set the environment variable `CUSTOM_RULES_DIR=<directory-with-_config.yaml>`
### Defining a testing config
```yaml
testing:
config: etc/example_test_config.yaml
```
This points to the testing config file (see example under detection_rules/etc/example_test_config.yaml) and can either
be set in `_config.yaml` or as the environment variable `DETECTION_RULES_TEST_CONFIG`, with precedence going to the
environment variable if both are set. Having both these options allows for configuring testing on prebuilt Elastic rules
without specifying a rules _config.yaml.
* Note: If set in this file, the path should be relative to the location of this config. If passed as an environment variable, it should be the full path
### How the config is used and it's designed portability
This repo is designed to operate on certain expectations of structure and config files. By defining the code below, it allows
the design to become portable and based on defined information, rather than the static excpectiations.
```python
RULES_CONFIG = parse_rules_config()
# which then makes the following attribute available for use
@dataclass
class RulesConfig:
"""Detection rules config file."""
deprecated_rules_file: Path
deprecated_rules: Dict[str, dict]
packages_file: Path
packages: Dict[str, dict]
rule_dirs: List[Path]
stack_schema_map_file: Path
stack_schema_map: Dict[str, dict]
test_config: TestConfig
version_lock_file: Path
version_lock: Dict[str, dict]
action_dir: Optional[Path] = None
action_connector_dir: Optional[Path] = None
auto_gen_schema_file: Optional[Path] = None
bbr_rules_dirs: Optional[List[Path]] = field(default_factory=list)
bypass_version_lock: bool = False
exception_dir: Optional[Path] = None
normalize_kql_keywords: bool = True
bypass_optional_elastic_validation: bool = False
# using the stack_schema_map
RULES_CONFIG.stack_schema_map
```
### Version Strategy Warning
- General (`bypass_version_lock = False`)
- Default
- Versions from Kibana or the TOML file are ignored
- Version lock file usage is permitted
- General (`bypass_version_lock = True`)
- Must be explicitly set in the config
- Versions from Kibana or the TOML file are used
- Version lock file usage is not permitted
- Tactical Warning Messages
- Rule import to TOML file will skip version and revision fields when supplied (*rule_prompt* & *import_rules_into_repo*) if `bypass_version_lock = False`. No warning message is issued.
- Rule version lock will not be updated or used if `bypass_version_lock = True` when building a release package (*build_release*). A warning message is issued.
- If versions are in the TOML file, and `bypass_version_lock = False`, the versions in the TOML file will not be used (*autobumped_version*). A warning message is issued.
- If `bypass_version_lock = False`, when autobumping the version, it will check the version lock file and increment if is_dirty (*autobumped_version*), otherwise just use the version supplied. No warning message is issued.
- If `bypass_version_lock = True`, the updating the version lock file will disabled (*update_lock_versions*). A warning message is issued.
- If `bypass_version_lock = True`, loading the version lock file is disabled and skipped. (*from_dict*, *load_from_file*, *manage_versions*, *test_version_lock_has_nested_previous*). A warning message is issued.
### Custom actions, action connectors, and exceptions lists
To convert these to TOML, you can do the following:
1. export the ndjson from Kibana into a `dict` or load from kibana
```python
from detection_rules.action import Action, ActionMeta, TOMLActionContents, TOMLAction
action = Action.from_dict(action_dict)
meta = ActionMeta(...)
action_contents = TOMLActionContents(action=[action], meta=meta)
toml_action = TOMLAction(path=Path, contents=action_contents)
```
Mimick a similar approach for exception lists. Both can then be managed with the `GenericLoader`
```python
from detection_rules.generic_loader import GenericLoader
loader = GenericLoader()
loader.load_directory(...)
```
### Using Custom Schemas
You can specify custom defined schemas for custom indexes using the `etc/stack-schema-map.yaml` in your custom rules directory.
To add a custom schema, add a sub key in the `etc/stack-schema-map.yaml` file under the stack version you wish the custom schema to apply.
Then for its value, reference the json file, or folder of files, where you have your schema defined. Please note, to validate rules with a `min_stack_version` set, the `stack-schema-map.yaml` needs an entry for the highest version.
Example:
```yaml
8.14.0:
beats: 8.12.2
ecs: 8.11.0
endgame: 8.4.0
custom: schemas/custom-schema.json
```
Note: the `custom` key can be any alpha numeric value except `beats`, `ecs`, or `endgame` as these are reserved terms.
Note: Remember if you want to turn on automatic schema generation for non-ecs fields a custom schemas add `auto_gen_schema_file: <path_to_your_json_file>`.
Example schema json:
```json
{
"custom-index*": {
"process.NewCustomValue": "keyword",
"process.AnotherCustomValue": "keyword"
}
}
```
This can then be used in a rule query by adding the index to the applicable rule e.g. `index = ["logs-endpoint.events.*", "custom-index*"]`.
Then one can use the index in the query e.g. `process where host.os.type == "linux" and process.NewCustomValue == "GoodValue"`
docs/deprecating.md
-23
View File
@@ -1,23 +0,0 @@
# Deprecating rules
Rules that have been version locked (added to [version.lock.json](../detection_rules/etc/version.lock.json)), which also means they
have been added to the detection engine in Kibana, must be properly [deprecated](#steps-to-properly-deprecate-a-rule).
If a rule was never version locked (not yet pushed to Kibana or still in non-`production` `maturity`), the rule can
simply be removed with no additional changes, or updated the `maturity = "development"`, which will leave it out of the
release package to Kibana.
## Steps to properly deprecate a rule
1. Update the `maturity` to `deprecated`
2. Move the rule file to [rules/_deprecated](../rules/_deprecated)
3. Add `deprecation_date` and update `updated_date` to match
Next time the versions are locked, the rule will be added to the [deprecated_rules.json](../detection_rules/etc/deprecated_rules.json)
file.
### Using the deprecate-rule command
Alternatively, you can run `python -m detection_rules dev deprecate-rule <rule-file>`, which will perform all the steps
docs/developing.md
-73
View File
@@ -1,73 +0,0 @@
# Developing
Notes for managing and internal development
## Transforms
Transforms are data structures within rules which will be integrated into other fields at build
time for rules, meaning they are not directly converted.
### CLI
There are some helper commands to assist with converting transforms into the excpected rule TOML format
- create transform in Kibana
- export it (or copy it)
- run the following commmand and paste them (multiple)
- copy and paste into rule, with minor format changes if needed
```console
(detection_dev) ➜ detection-rules git:(initial_inv_queries) python -m detection_rules dev transforms guide-plugin-convert
█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄
█ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄
█▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█
Enter plugin contents []: !{investigate{"label":"Alerts associated with the host in the last 48h","providers":[[{"field":"event.kind","excluded":false,"queryType":"phrase","value":"signal","valueType":"string"},{"field":"host.name","excluded":false,"queryType":"phrase","value":"{{host.name}}","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}}
[transform]
[[transform.investigate]]
label = "Alerts associated with the host in the last 48h"
providers = [[{field = "event.kind", excluded = false, queryType = "phrase", value = "signal", valueType = "string"}, {field = "host.name", excluded = false, queryType = "phrase", value = "{{host.name}}", valueType = "string"}]]
relativeFrom = "now-48h/h"
relativeTo = "now"
```
Other transform support can be found under
`python -m detection-rules dev transforms -h`
#### Testing bypasses with environment variables
Using the environment variable `DR_BYPASS_NOTE_VALIDATION_AND_PARSE` will bypass the Detection Rules validation on the `note` field in toml files.
Using the environment variable `DR_BYPASS_BBR_LOOKBACK_VALIDATION` will bypass the Detection Rules lookback and interval validation
on the building block rules.
Using the environment variable `DR_BYPASS_TAGS_VALIDATION` will bypass the Detection Rules Unit Tests on the `tags` field in toml files.
Using the environment variable `DR_BYPASS_TIMELINE_TEMPLATE_VALIDATION` will bypass the timeline template id and title validation for rules.
## Using the `RuleResource` methods built on detections `_bulk_action` APIs
The following is meant to serve as a simple example of to use the methods
```python
import kibana
from kibana import definitions
rids = ['40e1f208-aaaa-bbbb-98ea-378ccf504ad3', '5e9bc07c-cccc-dddd-a6c0-1cae4a0d256e']
# with TypedDict, either is valid, both with static type checking
set_tags = definitions.RuleBulkSetTags(type='set_tags', value=['tag1', 'tag2'])
delete_tags: definitions.RuleBulkDeleteTags = {'type': 'delete_tags', 'value': ['tag1', 'tag2']}
with kibana:
r1 = RuleResource.bulk_enable(rids, dry_run=True)
r2 = RuleResource.bulk_disable(rids, dry_run=True)
r3 = RuleResource.bulk_duplicate(rids, dry_run=True)
r4 = RuleResource.bulk_export(rids)
r5 = RuleResource.bulk_edit(edit_object=[set_tags, delete_tags], rule_ids=rids, dry_run=True)
r6 = RuleResource.bulk_delete(rids, dry_run=True)
```
docs/experimental-machine-learning/DGA.md
-55
View File
@@ -1,55 +0,0 @@
**The setup instructions in this document have been deprecated. Please follow the steps outlined in [this](https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-Kibana-integration) blog to enable DGA detection in your environment.**
# Machine Learning on Domain Generation Algorithm (DGA)
To create and use supervised DGA ML models to enrich data within the stack, check out these Elastic blogs:
* Part 1: [Machine learning in cybersecurity: Training supervised models to detect DGA activity](https://www.elastic.co/blog/machine-learning-in-cybersecurity-training-supervised-models-to-detect-dga-activity)
* Part 2: [Machine learning in cybersecurity: Detecting DGA activity in network data](https://www.elastic.co/blog/machine-learning-in-cybersecurity-detecting-dga-activity-in-network-data)
You can also find some supplementary material and examples [here](https://github.com/elastic/examples/tree/master/Machine%20Learning/DGA%20Detection)
We also released a blog about getting started with DGA using the CLI and Kibana, which also includes a case study of the process applied to the 2020 [SolarWinds supply chain attack](https://www.elastic.co/blog/elastic-security-provides-free-and-open-protections-for-sunburst):
* [Combining supervised and unsupervised machine learning for DGA detection](https://www.elastic.co/blog/supervised-and-unsupervised-machine-learning-for-dga-detection)
For questions, please reach out to the ML team in the #machine-learning channel of the
[Elastic community Slack workspace](https://www.elastic.co/blog/join-our-elastic-stack-workspace-on-slack)
The team can also be reached by using the `stack-machine-learning` tag in the [discuss forums](https://discuss.elastic.co/tags/c/elastic-stack/stack-machine-learning)
*Note: in order to use these ML features, you must have a platinum or higher [subscription](https://www.elastic.co/subscriptions)*
*Note: the ML features are considered experimental in Kibana as well as this rules CLI*
## Detailed steps
#### 1. Upload and setup the model file and dependencies
Run `python -m detection_rules es <args_or_config> experimental ml setup -t <release-tag>`
*If updating a new model, you should first uninstall any existing models using `remove-model`*
You can also upload files locally using the `-d` option, so long as the naming convention of the files match the
expected pattern for the filenames.
#### 2. Update packetbeat configuration
You will need to update your packetbeat.yml config file to point to the enrichment pipeline
Under `Elasticsearch Output` add the following:
```yaml
output.elasticsearch:
hosts: ["your-hostname:your-port"]
pipeline: dns_enrich_pipeline
```
#### 3. Refresh your packetbeat index
You can optionally choose to refresh your packetbeat index mapping from within Kibana:
* Navigate to `Stack Management > (Kibana) Index Patterns`
* Select the appropriate packetbeat index
* Click `refresh field list`
#### 4. Verify enrichment fields
Any packetbeat documents with the field `dns.question.registered_domain` should now be enriched with `ml_is_dga.*`
docs/experimental-machine-learning/beaconing.md
-82
View File
@@ -1,82 +0,0 @@
# Identifying beaconing activity in your environment
The Network Beaconing package consists of all the artifacts required to stand up a framework to identify beaconing activity in your environment. The framework can not only help threat hunters and analysts monitor network traffic for beaconing activity, but also provides useful indicators of compromise (IoCs) for them to start an investigation with.
To deploy this framework in your environment, follow the steps outlined below.
# Detailed steps
#### 1. Obtain artifacts
The Network Beaconing functionality is space aware for privacy. Downloaded artifacts must be modified with the desired space before they can be used.
- Download the release bundle from [here](https://github.com/elastic/detection-rules/releases). The Network Beaconing releases can be identified by the tag `ML-Beaconing-YYYMMDD-N`. Check the release description to make sure it is compatible with the Elastic Stack version you are running. New releases may contain updated artifacts.
- Unzip the contents of `ML-Beaconing-YYYMMDD-N`.
- Run `ml_beaconing_generate_scripts.py` script in the unzipped directory with your Kibana space as the argument.
<div style="margin-left: 40px">
<i>Example of modifying artifacts for the default space</i>
<pre style="margin-top:-2px"><code>python ml_beaconing_generate_scripts.py --space default
</code></pre></div>
- Find a new folder named after your space in the unzipped directory. **You will be using the scripts within this directory for the next steps.**
#### 2. Uploading scripts
- Navigate to `Management / Dev Tools` in Kibana.
- Upload the contents of `ml_beaconing_init_script.json`, `ml_beaconing_map_script.json` and `ml_beaconing_reduce_script.json` using the Script API with the following syntax.
<div style="margin-left: 40px">
<i>uploading scripts</i>
<pre style="margin-top:-2px"><code>
PUT _scripts/ml_beaconing_init_script
{contents of ml_beaconing_init_script.json file}
</code></pre></div>
<div style="margin-left: 40px">
<pre><code>
PUT _scripts/ml_beaconing_map_script
{contents of ml_beaconing_map_script.json file}
</code></pre></div>
<div style="margin-left: 40px">
<pre><code>
PUT _scripts/ml_beaconing_reduce_script
{contents of ml_beaconing_reduce_script.json file}
</code></pre></div>
#### 3. Upload ingest pipeline
Upload the contents of the `ml_beaconing_ingest_pipeline.json` ingest pipeline using the Ingest API with the following syntax.
<div style="margin-left: 40px">
<i>uploading ingest pipeline</i>
<pre style="margin-top:-2px"><code>PUT _ingest/pipeline/ml_beaconing_ingest_pipeline
{contents of ml_beaconing_ingest_pipeline.json file}
</code></pre></div>
#### 5. Upload and start the `pivot` transform
- Upload the contents of `ml_beaconing_pivot_transform.json` using the Transform API with the following syntax. This transform runs hourly and flags beaconing activity seen in your environment, in the 6 hrs prior to runtime:
<div style="margin-left: 40px">
<i>uploading pivot transform</i>
<pre style="margin-top:-2px"><code>PUT _transform/ml_beaconing_pivot_transform
{contents of ml_beaconing_pivot_transform.json file}
</code></pre></div>
- Navigate to `Transforms` under `Management` -> `Stack Management`. For the transform with the ID `ml_beaconing_pivot_transform`, under `Actions`, click `Start`.
- Verify that the Transform started as expected by ensuring that documents are appearing in the destination index of the Transform, eg: using the Search/Count APIs:
<div style="margin-left: 40px">
<i>sample test query</i>
<pre style="margin-top:-2px"><code>GET ml_beaconing_&lt;your-space-name&gt;/_search
</code></pre></div>
#### 6. Import the dashboards
- Navigate to `Management` -> `Stack Management` -> `Kibana` -> `Saved Objects`
- Click on `Import` and import the `ml_beaconing_dashboards.ndjson` file. Choose the `Request Action on conflict` option if you don't want the import to overwrite existing objects, for example the `logs-*` index pattern.
- Navigate to `Analytics` -> `Dashboard`. You should see three dashboards- `Network Beaconing`, which is the main dashboard to monitor beaconing activity, `Beaconing Drilldown` to drilldown into relevant event logs and some statistics related to the beaconing activity, and finally, `Hosts Affected Over Time By Process Name` to monitor the reach of beaconing processes across hosts in your environment, in the past two weeks.
# Note
Platinum and Enterprise customers can enable the anomaly detection job associated with this beaconing identification framework. This job additionally allows users to find processes in their environment that don't normally beacon out. The job configuration and datafeed can be found in the latest experimental detections package, which is available as a GitHub release [here](https://github.com/elastic/detection-rules/releases), with the tag `ML-experimental-detections-YYYMMDD-N`.
docs/experimental-machine-learning/experimental-detections.md
-28
View File
@@ -1,28 +0,0 @@
# Experimental ML Jobs and Rules
The ingest pipeline enriches process events by adding additional fields, which are used to power several rules.
The experimental rules and jobs are staged separately from the model bundles under [releases](https://github.com/elastic/detection-rules/releases), with the tag `ML-experimental-detections-YYYMMDD-N`. New releases with this tag may contain either updates to existing rules or new experimental detections.
Note that if a rule is of `type = "machine_learning"`, then it may be dependent on uploading and running a machine
learning job first. If this is the case, it will likely be annotated within the `note` field of the rule.
### Uploading rules
Unzip the release bundle and upload these rules individually.
Rules are now stored in ndjson format and can be imported into Kibana via the security app detections page.
Earlier releases stored the rules in toml format. These can be uploaded using the
[7.12 branch](https://github.com/elastic/detection-rules/tree/7.12) CLI using the
[kibana upload-rule](../../CLI.md#uploading-rules-to-kibana) command
### Uploading ML Jobs and Datafeeds
Unzip the release bundle and then run `python -m detection_rules es <args> experimental ml upload-job <ml_job.json>`
To delete a job/datafeed, run `python -m detection_rules es <args> experimental ml delete-job <job-name> <job-type>`
The CLI automatically identifies whether the provided input file is an ML job or datafeed.
Take note of any errors as the jobs and datafeeds may have dependencies on each other which may require stopping and/or removing
referenced jobs/datafeeds first.
docs/experimental-machine-learning/host-risk-score.md
-220
View File
@@ -1,220 +0,0 @@
**The setup instructions in this document have been deprecated. Please follow the steps outlined [here](https://www.elastic.co/guide/en/security/current/host-risk-score.html), to enable Host Risk Score in your environment.**
# Host Risk Score
Host Risk Score is an experimental feature that assigns risk scores to hosts in a given Kibana space. Risk scores are calculated for each host by utilizing transforms on the alerting indices. The transform runs hourly to update the score as new alerts are generated. The Host Risk Score [package](https://github.com/elastic/detection-rules/releases) contains all of the required artifacts for setup. The Host Risk Score feature provides drilldown Lens dashboards and additional Kibana features such as the **Host Risk Score Card** on the Overview page of the Elastic Security app, and the **Host Risk Keyword** on the Alert details flyout for an enhanced experience.
### Notes
- **Host name collision**: Hosts are identified by the `host.name` field in alerts. There may be some edge cases where different hosts use the same name. [details](#host-name-collision-details)
## Setup Instructions
1. [Obtain artifacts](#obtain-artifacts)
2. [Upload scripts](#upload-scripts)
3. [Upload ingest pipeline](#upload-ingest-pipeline)
4. [Upload and start the `pivot` transform](#upload-start-pivot)
5. [Create the Host Risk Score index](#host-risk-index)
6. [Upload and start the `latest` transform](#upload-start-latest)
7. [Import dashboards](#import-dashboards)
8. [Enable Kibana features](#enable-kibana)
<h3 id="modify-artifacts">1. Obtain artifacts</h3>
The Host Risk Score functionality is space aware for privacy. Downloaded artifacts must be modified with the desired space before they can be used.
- Download the release bundle from [here](https://github.com/elastic/detection-rules/releases). The Host Risk Score releases can be identified by the tag `ML-HostRiskScore-YYYYMMDD-N`. Check the release description to make sure it is compatible with the Elastic Stack version you are running.
- Unzip the contents of `ML-HostRiskScore-YYYYMMDD-N.zip`.
- Run `ml_hostriskscore_generate_scripts.py` script in the unzipped directory with your Kibana space as the argument.
<div style="margin-left: 40px">
<i>Example of modifying artifacts for the default space</i>
<pre style="margin-top:-2px"><code>python ml_hostriskscore_generate_scripts.py --space default
</code></pre></div>
- Find a new folder named after your space in the unzipped directory. **You will be using the scripts within this directory for the next steps.**
**Note:** Host Risk Score artifacts should be updated if/when you update to a newer Elastic Stack version. To do this, simply download a release bundle that is compatible with your new Stack version and repeat all the steps. Backwards compatibility of release bundles is not guaranteed.
<h3 id="upload-scripts">2. Upload scripts</h3>
- Navigate to `Management / Dev Tools` in Kibana.
- Upload the contents of `ml_hostriskscore_levels_script.json`, `ml_hostriskscore_map_script.json`, `ml_hostriskscore_reduce_script.json` and `ml_hostriskscore_init_script.json` (for Elastic Stack version 8.1+ only) using the Script API with the following syntax.
- Ensure that your space name (such as `default`) replaces `<your-space-name>` in the script names below.
<div style="margin-left: 40px">
<i>uploading scripts</i>
<pre style="margin-top:-2px"><code>
PUT _scripts/ml_hostriskscore_levels_script_&lt;your-space-name&gt;
{contents of ml_hostriskscore_levels_script.json file}
</code></pre></div>
<div style="margin-left: 40px">
<pre><code>
PUT _scripts/ml_hostriskscore_map_script_&lt;your-space-name&gt;
{contents of ml_hostriskscore_map_script.json file}
</code></pre></div>
<div style="margin-left: 40px">
<pre><code>
PUT _scripts/ml_hostriskscore_reduce_script_&lt;your-space-name&gt;
{contents of ml_hostriskscore_reduce_script.json file}
</code></pre></div>
<i>For Elastic Stack version 8.1+ only</i>
<div style="margin-left: 40px">
<pre><code>
PUT _scripts/ml_hostriskscore_init_script_&lt;your-space-name&gt;
{contents of ml_hostriskscore_init_script.json file}
</code></pre></div>
<h3 id="upload-ingest-pipeline">3. Upload ingest pipeline</h3>
- Upload the contents of `ml_hostriskscore_ingest_pipeline.json` using the Ingest API with the following syntax.
- Ensure that your space name (such as `default`) replaces `<your-space-name>` below.
<div style="margin-left: 40px">
<i>uploading ingest pipeline</i>
<pre style="margin-top:-2px"><code>PUT _ingest/pipeline/ml_hostriskscore_ingest_pipeline_&lt;your-space-name&gt;
{contents of ml_hostriskscore_ingest_pipeline.json file}
</code></pre></div>
<h3 id="upload-start-pivot">4. Upload and start the <code>pivot</code> transform</h3>
This transform calculates the risk level every hour for each host in the Kibana space specified.
- Upload the contents of `ml_hostriskscore_pivot_transform.json` using the Transform API with the following syntax.
- Ensure that your space name (such as `default`) replaces `<your-space-name>` below.
<div style="margin-left: 40px">
<i>uploading pivot transform</i>
<pre style="margin-top:-2px"><code>PUT _transform/ml_hostriskscore_pivot_transform_&lt;your-space-name&gt;
{contents of ml_hostriskscore_pivot_transform.json file}
</code></pre></div>
- Navigate to `Transforms` under `Management / Stack Management` in Kibana. Find the transform with the ID `ml_hostriskscore_pivot_transform_<your-space-name>`. Open the `Actions` menu on the right side of the row, then click `Start`.
- Confirm the transform is working as expected by navigating to `Management / Dev Tools` and ensuring the target index exists.
<div style="margin-left: 40px">
<i>sample test query</i>
<pre style="margin-top:-2px"><code>GET ml_host_risk_score_&lt;your-space-name&gt;/_search
</code></pre></div>
<h3 id="host-risk-index">5. Create the Host Risk Score index</h3>
- Navigate to `Management / Dev Tools` in Kibana.
- Create the Host Risk Score index (`ml_host_risk_score_latest_<your-space-name>`) with the following mappings.
- Ensure that your space name (such as `default`) replaces `<your-space-name>` below.
<div style="margin-left: 40px">
<i>creating the Host Risk Score index</i>
<pre style="margin-top:-2px"><code>PUT ml_host_risk_score_latest_&lt;your-space-name&gt;
{
"mappings":{
"properties":{
"host.name":{
"type":"keyword"
}
}
}
}
</code></pre></div>
<h3 id="upload-start-latest">6. Upload and start the <code>latest</code> transform</h3>
This transform recurringly calculates risk levels for all hosts in the Kibana space specified.
- Upload the contents of `ml_hostriskscore_latest_transform.json` using the Transform API with the following syntax.
- Ensure that your space name (such as `default`) replaces `<your-space-name>` below.
<div style="margin-left: 40px">
<i>uploading latest transform</i>
<pre style="margin-top:-2px"><code>PUT _transform/ml_hostriskscore_latest_transform_&lt;your-space-name&gt;
{contents of ml_hostriskscore_latest_transform.json file}
</code></pre></div>
- Navigate to `Transforms` under `Management / Stack Management` in Kibana. Find the transform with the ID `ml_hostriskscore_latest_transform_<your-space-name>`. Open the `Actions` menu on the right side of the row, and click `Start`.
- Confirm the transform is working as expected by navigating to `Management / Dev Tools` and ensuring the target index exists. You should see documents starting to appear in the index if there is ongoing alerting activity associated with hosts.
<div style="margin-left: 40px">
<i>sample test query</i>
<pre style="margin-top:-2px"><code>GET ml_host_risk_score_latest_&lt;your-space-name&gt;/_search
</code></pre></div>
<h3 id="import-dashboards">7. Import dashboards</h3>
- Navigate to `Management / Stack Management / Kibana / Saved Objects` in Kibana.
- Click on `Import` and import the `ml_hostriskscore_dashboards.ndjson` file.
- Navigate to `Analytics / Dashboard`.
- Confirm you can see a dashboard named `Current Risk Scores for Hosts`, which displays the current list (Top 20) of suspicious hosts in your environment.
- Confirm you can see a dashboard named `Drilldown of Host Risk Score`, which allows you to further drill down into details of the risk associated with a particular host of interest.
<h3 id="enable-kibana">8. Enable Kibana features</h3>
To enable the Kibana features for Host Risk Score, you will first need to add the following configuration to `kibana.yml`.
```
xpack.securitySolution.enableExperimental: ['riskyHostsEnabled']
```
#### Instructions to modify `kibana.yml` on Elastic Cloud
1. Navigate to your deployment on the cloud
![Navigate to deployment](./images/1_create_deployment.png)
2. Click on Kibana on the sidebar and click on Edit configuration on your Kibana instance
![Edit Kibana config](./images/2_edit_configuration.png)
3. Click on Edit user settings
![Edit user settings](./images/3_edit_user_settings.png)
4. Modify Kibana configuration by adding `xpack.securitySolution.enableExperimental: ['riskyHostsEnabled']`
![Modify Kibana configuration](./images/4_add_flag.png)
5. Save updated Kibana settings
![Save updated Kibana settings](./images/5_save_settings.png)
6. Confirm activity finished
![Confirm activity finished](./images/6_confirm_activity_finished.png)
7. View Host Risk Score Card on the Overview page
![Host Risk Score card](./images/0a_host_risk_score_card.png)
Once you have modified the `kibana.yml` file, you will find Host Risk Scoring features in the following Kibana locations:
_Host Risk Score card on the Overview page_
![Host Risk Score card](./images/0a_host_risk_score_card.png)
_Host Risk Keyword on Alert Details Flyout_
![Host Risk Keyword](./images/0b_alert_summary.png)
For Elastic Stack version 8.1+ only:
_Host risk classification column in the All hosts table on the Hosts page_
![Hosts page risk classification column](./images/0c_host_page_risk_column.png)
_Hosts by risk tab on the Hosts page_
![Hosts Risk Tab](./images/0d_host_page_hosts_by_risk_tab.png)
The host risk table in the above tab is not affected by the KQL time range. The table shows the latest recorded risk score for each host.
_Host risk overview on the Host details page_
![Host risk overview](./images/0e_host_details_page_risk_overview.png)
_Hosts by risk tab on the Host details page_
![Host Details Risk Tab](./images/0f_host_details_page_hosts_by_risk_tab.png)
<hr/>
##### Host name collision details
Physical Windows clients - desktops and laptops - in an Active Directory forest are unlikely to have name collisions, as their computer accounts and distinguished names should be unique. Non-domain member servers, desktops and laptops, in a Windows workgroup, may occasionally have name collisions. Macs are often not managed by a directory service and may have name collisions. Virtual servers, that are created from templates or cloning processes may have hostname collisions.
docs/experimental-machine-learning/images/0a_host_risk_score_card.png
BIN
View File
Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 723 KiB

docs/experimental-machine-learning/images/0b_alert_summary.png
BIN
View File
Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 485 KiB

docs/experimental-machine-learning/images/0c_host_page_risk_column.png
BIN
View File
Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 390 KiB

docs/experimental-machine-learning/images/0d_host_page_hosts_by_risk_tab.png
BIN
View File
Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 318 KiB

docs/experimental-machine-learning/images/0e_host_details_page_risk_overview.png
BIN
View File
Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 434 KiB

docs/experimental-machine-learning/images/0f_host_details_page_hosts_by_risk_tab.png
BIN
View File
Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 167 KiB

docs/experimental-machine-learning/images/1_create_deployment.png
BIN
View File
Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 450 KiB

docs/experimental-machine-learning/images/2_edit_configuration.png
BIN
View File
Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 309 KiB

docs/experimental-machine-learning/images/3_edit_user_settings.png
BIN
View File
Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 444 KiB

docs/experimental-machine-learning/images/4_add_flag.png
BIN
View File
Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 454 KiB

docs/experimental-machine-learning/images/5_save_settings.png
BIN
View File
Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 513 KiB

docs/experimental-machine-learning/images/6_confirm_activity_finished.png
BIN
View File
Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 548 KiB

docs/experimental-machine-learning/problem-child.md
-65
View File
@@ -1,65 +0,0 @@
**The setup instructions in this document have been deprecated. Please follow the steps outlined in [this](https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration) blog to enable Living off the Land (LotL) detection in your environment.**
# ProblemChild in the Elastic Stack
ProblemChild helps detect anomalous activity in Windows process events by:
1) Classifying events as malicious vs benign
2) Identifying anomalous events based on rare parent-child process relationships
An end-to-end blog on how to build the ProblemChild framework from scratch for your environment can be found [here](https://www.elastic.co/blog/problemchild-detecting-living-off-the-land-attacks).
You can also find some supplementary material for the blog and examples [here](https://github.com/elastic/examples/tree/master/Machine%20Learning/ProblemChild)
We also released a blog about getting started with ProblemChild using the CLI and Kibana:
* [ProblemChild Release Blog](link to blog)
*Note: in order to use these ML features, you must have a platinum or higher [subscription](https://www.elastic.co/subscriptions)*
*Note: the ML features are considered experimental in Kibana as well as this rules CLI*
## Detailed steps
#### 1. Upload and setup the model file and dependencies
Run `python -m detection_rules es <args_or_config> experimental ml setup -t <release-tag>`
*If updating a new model, you should first uninstall any existing models using `remove-model`*
You can also upload files locally using the `-d` option, so long as the naming convention of the files match the
expected pattern for the filenames.
#### 2. Update index pipeline configuration
You will need to update your index (containing Windows process event data) settings to point to the ProblemChild enrichment pipeline.
You can do this by running the following command in your Dev Tools console:
```
PUT your-index-pattern/_settings
{
"index": {
"default_pipeline": "ML_ProblemChild_ingest_pipeline"
}
}
```
If you wish to stop enriching your documents using ProblemChild, run the following command in your dev Tools console:
```
PUT your-index-pattern/_settings
{
"index": {
"default_pipeline": null
}
}
```
#### 3. Refresh your indexes
You can optionally choose to refresh your index mapping from within Kibana:
* Navigate to `Stack Management > (Kibana) Index Patterns`
* Select the appropriate indexes
* Click `refresh field list`
#### 4. Verify enrichment fields
Any documents corresponding to Windows process events should now be enriched with `problemchild.*`. By default, the enrichment pipeline also consists of a script processor for a blocklist, so you might also see the field `blocklist_label` appear in documents that match the blocklist.
docs/experimental-machine-learning/readme.md
-107
View File
@@ -1,107 +0,0 @@
# Experimental machine learning
This repo contains some additional information and files to use experimental[*](#what-does-experimental-mean-in-this-context) machine learning features and detections
## Features
* [DGA](DGA.md)
* [ProblemChild](problem-child.md)
* [HostRiskScore](host-risk-score.md)
* [URLSpoof](url-spoof.md)
* [UserRiskScore](user-risk-score.md)
* [experimental detections](experimental-detections.md)
## Releases
There are separate [releases](https://github.com/elastic/detection-rules/releases) for:
* DGA: `ML-DGA-*`
* ProblemChild: `ML-ProblemChild-*`
* Host Risk Score: `ML-HostRiskScore-*`
* URL Spoof: `ML-URLSpoof-*`
* experimental detections: `ML-experimental-detections-*`
Releases will use the tag `ML-TYPE-YYYMMDD-N`, which will be needed for uploading the model using the CLI.
## CLI
Support commands can be found under `python -m detection_rules es <es args> experimental ml -h`
```console
Elasticsearch client:
Options:
-et, --timeout INTEGER Timeout for elasticsearch client
-ep, --es-password TEXT
-eu, --es-user TEXT
--elasticsearch-url TEXT
--cloud-id TEXT
* experimental commands are use at your own risk and may change without warning *
Usage: detection_rules es experimental ml [OPTIONS] COMMAND [ARGS]...
Experimental machine learning commands.
Options:
-h, --help Show this message and exit.
Commands:
check-files Check ML model files on an elasticsearch...
delete-job Remove experimental ML jobs.
remove-model Remove ML model files.
remove-scripts-pipelines Remove ML scripts and pipeline files.
setup Upload ML model and dependencies to enrich data.
upload-job Upload experimental ML jobs.
```
## Managing a model and dependencies using the CLI
### Installing
```console
python -m detection_rules es experimental ml setup -h
Elasticsearch client:
Options:
-et, --timeout INTEGER Timeout for elasticsearch client
-ep, --es-password TEXT
-eu, --es-user TEXT
--cloud-id TEXT
--elasticsearch-url TEXT
* experimental commands are use at your own risk and may change without warning *
Usage: detection_rules es experimental ml setup [OPTIONS]
Upload ML model and dependencies to enrich data.
Options:
-t, --model-tag TEXT Release tag for model files staged in detection-
rules (required to download files)
-r, --repo TEXT GitHub repository hosting the model file releases
(owner/repo)
-d, --model-dir DIRECTORY Directory containing local model files
--overwrite Overwrite all files if already in the stack
-h, --help Show this message and exit.
```
### Removing
To remove the ML bundle, you will need to remove the pipelines and scripts first and then the model.
You can do this by running:
* `python -m detection_rules es experimental ml remove-pipeline-scripts --dga --problemchild`
* `python -m detection_rules es experimental ml remove-model <model-id>`
----
##### What does experimental mean in this context?
Experimental model bundles (models, scripts, and pipelines), rules, and jobs are components which are currently in
development and so may not have completed the testing or scrutiny which full production detections are subjected to.
It may also make use of features which are not yet GA and so may be subject to change and are not covered by the support
SLA of general release (GA) features. Some of these features may also never make it to GA.
docs/experimental-machine-learning/url-spoof.md
-96
View File
@@ -1,96 +0,0 @@
# URL Spoofing Detection in the Elastic Stack
With the introduction of the ***URL Spoofing*** framework, you can now detect and monitor potentially malicious URLs in your environment.
The framework leverages supervised machine learning methods, threat intelligence enrichments, and customized detection rules to create an alert when you interact with a potentially malicious URL.
*Note: In order to use these ML features, you must have a platinum or higher [subscription](https://www.elastic.co/subscriptions). This is an **experimental** detection capability that currently works with `Packetbeat` data or any index with a corresponding `url.full` field should you choose to use your own index.*
## Detailed Workflow
### 1. Setup enrichment policy
You will first need to setup an enrichment policy to indicate where to get enrichments from.
You can do this by running the following command in your *Dev Tools* console:
```
PUT /_enrich/policy/url_spoofing_enrichment_policy
{
"match": {
"indices": "filebeat-*",
"query": {"match": {"event.dataset": "threatintel.abuseurl"}},
"match_field": "threatintel.indicator.url.domain",
"enrich_fields": ["threatintel.indicator.url.domain"]
}
}
```
*Note: This enrichment pulls in threat intelligence data from `Filebeat`. You must have `Filebeat` data and a corresponding `filebeat-*` index/index pattern.*
### 2. Execute enrichment policy
After setting up the enrichment policy, you will need to execute the policy in order to add enrichments to incoming documents.
Run the following command in your *Dev Tools* console:
```
PUT /_enrich/policy/url_spoofing_enrichment_policy/_execute
```
*Note: You will need to periodically re-execute the enrichment policy to ensure your documents are being enriched with the latest threat intelligence data. To do so, simply re-run the execution script from **Step 2**. Do **NOT** re-run the script from **Step 1**.*
### 3. Upload model and dependencies
Run the following CLI command:
```
python -m detection_rules es <args_or_config> experimental ml setup -t <release-tag>
```
If updating a new model, you should first uninstall any existing models using *remove-model*.
### 4. Update index pipeline configuration
You will need to update your index settings to point to the *URL Spoofing* pipeline.
You can do this by running the following command in your *Dev Tools* console:
```
PUT your-index-pattern/_settings
{
"index": {
"default_pipeline": ml_urlspoof_inference_pipeline
}
}
```
Run the following command in your *Dev Tools* console to stop adding enrichments from the *URL Spoofing* framework to your documents:
```
PUT your-index-pattern/_settings
{
"index": {
"default_pipeline": null
}
}
```
### 5. Refresh your indexes (Optional)
You can optionally choose to refresh your index mapping from within Kibana:
- Navigate to Stack Management > (Kibana) Index Patterns
- Select the appropriate indexes
- Click refresh field list
### 6. Upload detection rule(s)
You can upload the rules associated with the *URL Spoofing* framework using the instructions provided [here](https://github.com/elastic/detection-rules/blob/main/docs/experimental-machine-learning/experimental-detections.md)
And that's it! You should now be alerted whenever you interact with a predicted malicious URL in your environment.
docs/experimental-machine-learning/user-risk-score.md
-162
View File
@@ -1,162 +0,0 @@
**The setup instructions in this document have been deprecated. Please follow the steps outlined [here](https://www.elastic.co/guide/en/security/current/user-risk-score.html), to enable User Risk Score in your environment.**
# User Risk Score
The User Risk Score feature highlights risky usernames from within your environment. It utilizes a transform with a scripted metric aggregation to calculate user risk scores based on alerts that were generated within the past three months. The transform runs hourly to update the score as new alerts are generated. Each alert's contribution to the user risk score is based on the alert's risk score (`signal.rule.risk_score`). The risk score is calculated using a weighted sum where rules with higher time-corrected risk scores also have higher weights. Each risk score is normalized to a scale of 0 to 100.
User Risk Score is an experimental feature that assigns risk scores to usernames in a given Kibana space. Risk scores are calculated for each username by utilizing transforms on the alerting indices. The transform updates the score as new alerts are generated. The User Risk Score [package](https://github.com/elastic/detection-rules/releases/tag/ML-UserRiskScore-20220628-1) contains all of the required artifacts for setup. The User Risk Score feature provides Lens dashboards for viewing summary and detailed username risk score information. The detail view dashboard - Drilldown of User Risk Score - presents detail on why a username has been given a high risk score. In addition, user risk scores are presented in the detailed view for a username in the Elastic Security App.
### On Usernames and Risk Scores
Many alerts contain usernames which were present in the original log or event documents that alert rules, or anomaly rules, matched. These are discrete usernames, not (yet) pointers to a user *entity*. In most environments, each human user has multiple usernames across the various applications and systems they use. In order to investigate a user, it may be necessary to add each of their usernames to the list of usernames being used to filter the output of the detail dashboard.
In some cases, there are certain usernames that are not readily individuated. The Local System, or SYSTEM account, under Windows, for example, has the same name and the same SID (security identifier) on every Windows host. In order to individuate a particular Local System user account, it is necessary to add its hostname as a filter. The user risk score detail dashboard contains tables of alerts by hostname, in addition to username, in order to help identify the hostname(s) associated with a local user that has been given a risk score.
## Setup Instructions
1. [Obtain artifacts](#obtain-artifacts)
2. [Upload scripts](#upload-scripts)
3. [Upload ingest pipeline](#upload-ingest-pipeline)
4. [Upload and start the `pivot` transform](#upload-start-pivot)
5. [Create the User Risk Score index](#user-risk-index)
6. [Upload and start the `latest` transform](#upload-start-latest)
7. [Import dashboards](#import-dashboards)
8. [(Optional) Enable Kibana features](#enable-kibana)
<h3 id="modify-artifacts">1. Obtain artifacts</h3>
The User Risk Score functionality is space aware for privacy. Downloaded artifacts must be modified with the desired space before they can be used.
- Download the release bundle from [here](https://github.com/elastic/detection-rules/releases/tag/ML-UserRiskScore-20220628-1). The User Risk Score releases can be identified by the tag `ML-UserRiskScore-YYYYMMDD-N`. Check the release description to make sure it is compatible with the Elastic Stack version you are running.
- Unzip the contents of `ML-UserRiskScore-YYYYMMDD-N.zip`.
- Run `ml_userriskscore_generate_scripts.py` script in the unzipped directory with your Kibana space as the argument.
<div style="margin-left: 40px">
<i>Example of modifying artifacts for the default space</i>
<pre style="margin-top:-2px"><code>python ml_userriskscore_generate_scripts.py --space default
</code></pre></div>
- Find a new folder named after your space in the unzipped directory. **You will be using the scripts within this directory for the next steps.**
<h3 id="upload-scripts">2. Upload scripts</h3>
- Navigate to `Management / Dev Tools` in Kibana.
- Upload the contents of `ml_userriskscore_levels_script.json`, `ml_userriskscore_map_script.json`, `ml_userriskscore_reduce_script.json` using the Script API with the following syntax.
- Ensure that your space name (such as `default`) replaces `<your-space-name>` in the script names below.
<div style="margin-left: 40px">
<i>uploading scripts</i>
<pre style="margin-top:-2px"><code>
PUT _scripts/ml_userriskscore_levels_script_&lt;your-space-name&gt;
{contents of ml_userriskscore_levels_script.json file}
</code></pre></div>
<div style="margin-left: 40px">
<pre><code>
PUT _scripts/ml_userriskscore_map_script_&lt;your-space-name&gt;
{contents of ml_userriskscore_map_script.json file}
</code></pre></div>
<div style="margin-left: 40px">
<pre><code>
PUT _scripts/ml_userriskscore_reduce_script_&lt;your-space-name&gt;
{contents of ml_userriskscore_reduce_script.json file}
</code></pre></div>
<h3 id="upload-ingest-pipeline">3. Upload ingest pipeline</h3>
- Upload the contents of `ml_userriskscore_ingest_pipeline.json` using the Ingest API with the following syntax.
- Ensure that your space name (such as `default`) replaces `<your-space-name>` below.
<div style="margin-left: 40px">
<i>uploading ingest pipeline</i>
<pre style="margin-top:-2px"><code>PUT _ingest/pipeline/ml_userriskscore_ingest_pipeline_&lt;your-space-name&gt;
{contents of ml_userriskscore_ingest_pipeline.json file}
</code></pre></div>
<h3 id="upload-start-pivot">4. Upload and start the <code>pivot</code> transform</h3>
This transform calculates the risk level every hour for each username in the Kibana space specified.
- Upload the contents of `ml_userriskscore_pivot_transform.json` using the Transform API with the following syntax.
- Ensure that your space name (such as `default`) replaces `<your-space-name>` below.
<div style="margin-left: 40px">
<i>uploading pivot transform</i>
<pre style="margin-top:-2px"><code>PUT _transform/ml_userriskscore_pivot_transform_&lt;your-space-name&gt;
{contents of ml_userriskscore_pivot_transform.json file}
</code></pre></div>
- Navigate to `Transforms` under `Management / Stack Management` in Kibana. Find the transform with the ID `ml_userriskscore_pivot_transform_<your-space-name>`. Open the `Actions` menu on the right side of the row, then click `Start`.
- Confirm the transform is working as expected by navigating to `Management / Dev Tools` and ensuring the target index exists.
<div style="margin-left: 40px">
<i>sample test query</i>
<pre style="margin-top:-2px"><code>GET ml_user_risk_score_&lt;your-space-name&gt;/_search
</code></pre></div>
<h3 id="user-risk-index">5. Create the User Risk Score index</h3>
- Navigate to `Management / Dev Tools` in Kibana.
- Create the User Risk Score index (`ml_user_risk_score_latest_<your-space-name>`) with the following mappings.
- Ensure that your space name (such as `default`) replaces `<your-space-name>` below.
<div style="margin-left: 40px">
<i>creating the User Risk Score index</i>
<pre style="margin-top:-2px"><code>PUT ml_user_risk_score_latest_&lt;your-space-name&gt;
{
"mappings":{
"properties":{
"user.name":{
"type":"keyword"
}
}
}
}
</code></pre></div>
<h3 id="upload-start-latest">6. Upload and start the <code>latest</code> transform</h3>
This transform recurrently calculates risk levels for all usernames in the Kibana space specified.
- Upload the contents of `ml_userriskscore_latest_transform.json` using the Transform API with the following syntax.
- Ensure that your space name (such as `default`) replaces `<your-space-name>` below.
<div style="margin-left: 40px">
<i>uploading latest transform</i>
<pre style="margin-top:-2px"><code>PUT _transform/ml_userriskscore_latest_transform_&lt;your-space-name&gt;
{contents of ml_userriskscore_latest_transform.json file}
</code></pre></div>
- Navigate to `Transforms` under `Management / Stack Management` in Kibana. Find the transform with the ID `ml_userriskscore_latest_transform_<your-space-name>`. Open the `Actions` menu on the right side of the row, and click `Start`.
- Confirm the transform is working as expected by navigating to `Management / Dev Tools` and ensuring the target index exists. You should see documents starting to appear in the index if there is ongoing alerting activity associated with usernames.
<div style="margin-left: 40px">
<i>sample test query</i>
<pre style="margin-top:-2px"><code>GET ml_user_risk_score_latest_&lt;your-space-name&gt;/_search
</code></pre></div>
<h3 id="import-dashboards">7. Import dashboards</h3>
- Navigate to `Management / Stack Management / Kibana / Saved Objects` in Kibana.
- Click on `Import` and import the `ml_userriskscore_dashboards.ndjson` file.
- Navigate to `Analytics / Dashboard`.
- Confirm you can see a dashboard named `Current Risk Scores for Users`, which displays the current list (Top 20) of usernames for which a risk score has been computed.
- Confirm you can see a dashboard named `Drilldown of User Risk Score`, which allows you to further drill down into details of the risk associated with a particular username of interest.
<h3 id="enable-kibana">8. Enable Kibana features</h3>
To enable the Kibana features for User Risk Score, you will first need to add the following configuration to `kibana.yml`.
```
xpack.securitySolution.enableExperimental: ['riskyUsersEnabled']
```
This can be added by editing the kibana.yml file, on a Kibana server instance, or by modifying a Kibana server configuration, in an Elastic Cloud deployment, using the steps documented here:
https://www.elastic.co/guide/en/cloud-enterprise/current/ece-manage-kibana-settings.html
Once you have modified the `kibana.yml` file, you will find User Risk Scoring features in the "User Risk" tab in the detail view for a username. The detail view is reached by clicking a username in the Users page in the Security Solution:
<hr/>
docs/rule-insights.md
-99
View File
@@ -1,99 +0,0 @@
# Insights and visualizations into rules and releases
## Indexing rules for visualizing in Kibana
There are several ways to import or index rules into elasticsearch.
### Indexing rules into Elasticsearch
The simplest way to index rules from the repo into elasticsearch is to run
`python -m detection-rules es index-rules`
This will index an enriched version of all rules included and sent to the index `rules-repo-<package-version>-<package_hash>`
- `package-version` is the version defined in `detection_rules/etc/packages.yaml`
- `package hash` is the sha256 hash of the consolidated rules:
- sorted by name
- flattened
- sorted by key
- base64 encoded
#### Detailed usage
```
Usage: detection_rules es index-rules [OPTIONS]
Index rules based on KQL search results to an elasticsearch instance.
Options:
-q, --query TEXT Optional KQL query to limit to specific rules
-f, --from-file FILENAME Load a previously saved uploadable bulk file
-s, --save_files Optionally save the bulk request to a file
-h, --help Show this message and exit.
```
The query can be any valid kql to reduce the scope of included rules, such as
```
-q "tags:Windows and severity>50"
```
### Generating an index of the rules
Instead of automatically uploading the rules, you can save the files to do so locally and then import/upload
To do so, run `python -m detection-rules generate-rules-index`
This will generate 2 files under `enriched-rule-indexes/<hash-of-package>`:
* `enriched-rules-index-importable.ndjson`
- this is a standard ndjson file of flattened enriched rules
* `enriched-rules-index-uploadable.ndjson`
- this is an ndjson file in the format expected by the `bulk` [api](https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-bulk.html)
- this can be loaded via dev tools or sent as data using curl or any other method that hits the elasticsearch bulk api
The rules are _enriched_ with several pieces of information and so are not identical
representations of the rules generated with `view-rule`, though the hashes of the rules are generated
before any enrichments are added.
#### Detailed usage
```
Usage: detection_rules generate-rules-index [OPTIONS]
Generate enriched indexes of rules, based on a KQL search, for
indexing/importing into elasticsearch/kibana.
Options:
-q, --query TEXT Optional KQL query to limit to specific rules
--overwrite Overwrite files in an existing folder
-h, --help Show this message and exit.
```
The query can be any valid kql to reduce the scope of included rules, such as
```
-q "tags:Windows and severity>50"
```
### Importing rules via Kibana
If you have [access](https://www.elastic.co/subscriptions) to machine learning, you can leverage the
[data-visualizer](https://www.elastic.co/guide/en/kibana/7.11/connect-to-elasticsearch.html#upload-data-kibana)
to import the rules via the [importable](#generating-an-index-of-the-rules) file.
### After the rules have been indexed
Once indexed, the rules will need to be added to a [kibana pattern](https://www.elastic.co/guide/en/kibana/7.11/index-patterns.html),
which will then make them searchable via discover or accessible in visualizations. Recommended index pattern is
`rules-*` or `rules-repo-*`
## For internal developers
Along with a series of other artifacts, these files are also generated at package creation, when running:
- `make release`
- `python -m detection-rules build-release`
docs/typosquatting_rule.md
-40
View File
@@ -1,40 +0,0 @@
# Generating detection rule to alert on traffic to typosquatting or homonym domains
## What does the rule do?
This rule helps detect spoofing attacks on domains that you want to protect.
## Steps
### 1. Run [dnstwist](https://github.com/elceef/dnstwist) on the domain you want to watch
Eg: `dnstwist --format json elastic.co | jq`
This should give you a json file consisting of potentially malicious lookalike domains for your domain.
### 2. Index the lookalike domains into Elasticsearch
In order to detect network activity on the lookalike domains using a threat match rule, you would first need to index these domains into an Elasticsearch index using the following CLI command:
`python -m detection_rules typosquat create-dnstwist-index [OPTIONS] INPUT_FILE`
### 3. Prep rule to alert on generated indexes
Run the following CLI command to generate the typosquat rule file, which you will then import into Kibana.
`python -m detection_rules typosquat prep-rule [OPTIONS] AUTHOR`
### 4. Import the rule into Kibana
Import the ndjson rule file generated in the previous step, into Kibana, via the Detection rules UI.
### 5. Detect potentially malicious network activity targeting your organization!
## Note
- You DO NOT need to re-import the rule file each time you have an additional domain to track. For each new domain, you'd run Step 1 to generate the json file consisting of lookalike domains for that domain, followed by the CLI command in Step 2 to index these domains into a new index. This index will automatically be picked up by the rule you imported the very first time.
- For advanced users, the threat indicator indices (`dnstwist-*`) also contain additional context about the lookalike domains, such as fuzzer information. You can query these indices if you would like to get such context about domains that have been alerted on.
docs/versioning.md
-163
View File
@@ -1,163 +0,0 @@
# Rule Supported Versions and Releases
This document provides detailed information about the different versions that are supported and released for prebuilt detection rules.
## Current Version
The current version of prebuilt detection rules is `v8.17`.
## Previous Versions Released
The following version(s) are released along with the current version.
- `v8.16`
- `v8.15`
- `v8.14`
### Previous Versions Maintained
The following version(s) are maintained along with the current version.
- `v8.13`
- `v8.12`
## End of Life Policy
Our policy is to support and provide public releases for `Current`, `Current-1`, `Current-2`, `Current-3` versions. We maintain and do not release `Current-4` and `Current-5` versions.
# Code Supported Versions and Releases
This outlines the versioning strategy and release process for the [detection-rules](https://github.com/elastic/detection-rules) repository, covering the core code, `kql` and `kibana` libraries, configuration files, and the `hunting` folder. The strategy follows semantic versioning to ensure clear communication of changes to users and compatibility with different Elastic Stack versions.
> [!IMPORTANT]
> This versioning process **excludes** the detection rules themselves. Detection rules are released separately and are not tied to the following process.
---
## Versioning Strategy
### Components Covered by Versioning:
- **Core Detection-Rules Code**: Handles logic for rule management, CLI, etc.
- **Libraries**:
- **`kql`**: Manages Kibana Query Language parsing and operations.
- **`kibana`**: Handles integrations and API interactions with Kibana.
- **Configuration Files**: Under the `etc/` folder that impact schema and DAC.
- **Hunting Logic**: The `hunting/` folder, which manages hunting rules.
### Semantic Versioning Approach:
We will use **Semantic Versioning** with the format `MAJOR.MINOR.PATCH`:
- **MAJOR version (`X.0.0`)**: For backward-incompatible changes.
- **MINOR version (`0.Y.0`)**: For backward-compatible new features.
- **PATCH version (`0.0.Z`)**: For backward-compatible bug fixes or small improvements.
> [!NOTE]
> The GitHub labels `patch`, `minor`, or `major` will be used in PRs to indicate the type of change being made.
---
## Versioning Guidelines
### Patch Version (`0.0.Z`):
Increment the patch version when making bug fixes, performance improvements, or small enhancements that do not break backward compatibility. Open a PR to ensure the proper `pyproject.toml` files and any other `version` related files are bumped.
<details><summary>Expand for Examples</summary>
<p>
**Examples**:
- **Kibana Library**:
- Minor fixes to API calls to ensure correct data retrieval.
- Updates to the `kibana` lib without adding new features.
- **KQL Library**:
- Small bug fixes in the query parsing logic.
- Optimizations that don't alter functionality.
- **Core Detection-Rules Code**:
- Fixes for CLI bugs or performance tweaks.
- Minor enhancements to rule management that dont require users to change workflows.
- **Hunting Folder**:
- Bug fixes in hunting rules logic.
- Small performance tweaks for the hunting rule management.
- **Docs Folder**:
- Updates to documentation.
- **JSON Schemas**:
- Recurring update to schema definitions that don't break compatibility (not .py schema updates).
</p>
</details>
---
### Minor Version (`0.Y.0`):
Increment the minor version when adding backward-compatible new features, enhancements, or functionality.
<details><summary>Expand for Examples</summary>
<p>
**Examples**:
- **Kibana Library**:
- Adding a new API endpoint to interact with Elastic Kibana X.Y while maintaining backward compatibility with older versions.
- **KQL Library**:
- Adding new query parsing functionality that is backward-compatible with previous Elastic Stack versions.
- **Core Detection-Rules Code**:
- New CLI commands or functionality for managing detection rules.
- New optional fields in rule schemas that have minimum compatibility requirements. (e.g adding `alert_suppression` with `min_compat=8.14`).
- **Hunting Folder**:
- Adding new hunting rule management features that are optional and backward-compatible.
- Enhancements in generating hunting rule markdown or CLI features.
</p>
</details>
> [!NOTE]
> When bumping this version, the patch version should be reset to `0` and the major version should remain the same.
---
### Major Version (`X.0.0`):
Increment the major version when introducing backward-incompatible changes that require users to update workflows, Elastic Stack versions, or rule management strategies.
<details><summary>Expand for Examples</summary>
<p>
**Examples**:
- **Kibana Library**:
- Replacing or removing an existing API endpoint that forces users to upgrade to Elastic X.Y
- **KQL Library**:
- Structural changes to query parsing logic that break compatibility with previous Elastic Stack versions.
- **Core Detection-Rules Code**:
- Breaking changes to rule schema definitions or CLI workflows that require user updates.
- Forcing users to migrate to a newer Elastic Stack version due to changes in core code or schema compatibility.
- **Hunting Folder**:
- Major refactors of the hunting logic that break existing workflows.
- Changes to how hunting rules are defined or managed, requiring users to adjust configurations.
</p>
</details>
> [!NOTE]
> When bumping this version, the minor version and patch version should be reset to `0`.
---
## Tagging Process
Each pyproject.toml update will be tagged using the following format:
- **Tag Format**: `dev-vX.Y.Z` (e.g., `dev-v1.2.0`).
- **Single Tag for Combined Releases**: If there are changes to the core detection-rules code or libraries (`kql`, `kibana`), they will be tagged together as a single release with the core detection-rules versioning.
- **Hunting Folder**: Changes to the hunting logic will be included in the combined release.
> [!CAUTION]
> When a version is bumped in a lib, we need to also bump the core `pyproject.toml` file *(e.g A version bump in `kql` will also require a similar version bump in the core detection-rules versioning)*.
---
## When to Trigger a GitHub Release
A draft release will be triggered on all version updates. For example, in the following cases:
- **New Feature or Bug Fix**: Once a feature or bug fix is merged into `main`, a version bump is made according to the semantic versioning rules.
- **Version Bump**: After the version bump, a GitHub release will be created using **release-drafter** CI workflow to automate draft release generation.
As pull requests are merged, a draft release is kept up-to-date listing the changes, ready to publish quarterly.
> [!IMPORTANT]
> Releases are published on minor and major version bumps at a minimum. Prior to publishing, the release notes should be reviewed and updated with any additional information, or remove any unnecessary details not related to code changes (which may occur due to release-drafter pulling in all commits).