security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Docs] Update ML_DGA.md (#707)

Browse Source
This commit is contained in:
Justin Ibarra
2020-12-09 23:06:35 +01:00
committed by GitHub
parent a5cd35f498
commit 7c2abc68d7
2 changed files with 17 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/eswrap.py
+3 -2
View File
@@ -636,8 +636,9 @@ def setup_dga_model(ctx, model_tag, repo, model_dir, overwrite):
click.echo('Ensure that you have updated your packetbeat.yml config file.')
click.echo(' - reference: ML_DGA.md #2-update-packetbeat-configuration')
click.echo('To upload rules, run: kibana upload-rule <dga-rule-files>')
click.echo('To upload ML jobs, run: es experimental upload-ml-job <dga-job-files>')
click.echo('Associated rules and jobs can be found under ML-experimental-detections releases in the repo')
click.echo('To upload rules, run: kibana upload-rule <ml-rule.toml>')
click.echo('To upload ML jobs, run: es experimental upload-ml-job <ml-job.json>')
@es_experimental.command('upload-ml-job')
docs/ML_DGA.md
+14 -8
View File
@@ -28,22 +28,28 @@ python -m detection_rules es experimental setup-dga-model -h
Elasticsearch client:
Options:
-u, --elasticsearch-url TEXT
-et, --timeout INTEGER Timeout for elasticsearch client
-ep, --es-password TEXT
-eu, --es-user TEXT
--cloud-id TEXT
-u, --user TEXT
-p, --es-password TEXT
-t, --timeout INTEGER Timeout for elasticsearch client
--elasticsearch-url TEXT
* experimental commands are use at your own risk and may change without warning *
Usage: detection_rules es experimental setup-dga-model [OPTIONS]
Upload DGA model and enrich DNS data.
Upload ML DGA model and dependencies and enrich DNS data.
Options:
-t, --model-tag TEXT Release tag for model files staged in detection-
rules (required to download files)
-r, --repo TEXT GitHub repository hosting the model file releases
(owner/repo)
-d, --model-dir DIRECTORY Directory containing local model files
--overwrite Overwrite all files if already in the stack
-h, --help Show this message and exit.
```
### Detailed steps
@@ -155,8 +161,8 @@ Job files are checked if they are valid toml and contain the following top level
#### Validation
All of these checks are automated and can be called with:
`python -m detection-rules dev gh-release validate-ml-dga-asset` - for model bundles
`python -m detection-rules dev gh-release validate-ml-detections-asset` for rule/job bundles
`python -m detection_rules dev gh-release validate-ml-dga-asset` - for model bundles
`python -m detection_rules dev gh-release validate-ml-detections-asset` for rule/job bundles
Pay attention to the output to determine any necessary changes. This may not be all inclusive and actual testing on a
live stack should always occur even with passing validation before saving to a GitHub release
@@ -165,7 +171,7 @@ live stack should always occur even with passing validation before saving to a G
Install dependencies with `pip install -r requirements-dev.txt`
A release can be created via the cli using `python -m detection-rules dev gh-release create-ml`
A release can be created via the cli using `python -m detection_rules dev gh-release create-ml`
* you can only use a github token
* the base directory name and release name must match