diff --git a/rules/integrations/beaconing/command_and_control_beaconing.toml b/rules/integrations/beaconing/command_and_control_beaconing.toml index 6d3482967..d3de0468a 100644 --- a/rules/integrations/beaconing/command_and_control_beaconing.toml +++ b/rules/integrations/beaconing/command_and_control_beaconing.toml @@ -35,7 +35,7 @@ The Network Beaconing Identification integration consists of a statistical frame #### The following steps should be executed to install assets associated with the Network Beaconing Identification integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Network Beaconing Identification and select the integration to see more details about it. -- Under Settings, click "Install Network Beaconing Identification assets" and follow the prompts to install the assets. +- Follow the instructions under the **Installation** section. """ references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", diff --git a/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml b/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml index c716a31cd..d14ed4e45 100644 --- a/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml +++ b/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml @@ -35,7 +35,7 @@ The Network Beaconing Identification integration consists of a statistical frame #### The following steps should be executed to install assets associated with the Network Beaconing Identification integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Network Beaconing Identification and select the integration to see more details about it. -- Under Settings, click "Install Network Beaconing Identification assets" and follow the prompts to install the assets. +- Follow the instructions under the **Installation** section. """ references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml index 55bf68afc..fc951b330 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml @@ -41,14 +41,8 @@ The Data Exfiltration Detection integration detects data exfiltration activity b #### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it. -- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets. - -#### Anomaly Detection Setup -Before you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your network data. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `logs-network_traffic.*` if you used Network Packet Capture. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". -- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml index 88a012b6e..350448b6a 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml @@ -41,14 +41,8 @@ The Data Exfiltration Detection integration detects data exfiltration activity b #### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it. -- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets. - -#### Anomaly Detection Setup -Before you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your network data. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `logs-network_traffic.*` if you used Network Packet Capture. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". -- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml index 20d6850ca..119651afe 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml @@ -40,14 +40,8 @@ The Data Exfiltration Detection integration detects data exfiltration activity b #### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it. -- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets. - -#### Anomaly Detection Setup -Before you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your network data. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `logs-network_traffic.*` if you used Network Packet Capture. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". -- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml index 1a3e7ef85..b66d2fcbc 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml @@ -41,14 +41,8 @@ The Data Exfiltration Detection integration detects data exfiltration activity b #### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it. -- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets. - -#### Anomaly Detection Setup -Before you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your network data. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `logs-network_traffic.*` if you used Network Packet Capture. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". -- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml index b62f5b169..39917340b 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml @@ -40,14 +40,8 @@ The Data Exfiltration Detection integration detects data exfiltration activity b #### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it. -- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets. - -#### Anomaly Detection Setup -Before you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". -- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml index d484668f8..9236fbdd1 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml @@ -41,14 +41,8 @@ The Data Exfiltration Detection integration detects data exfiltration activity b #### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it. -- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets. - -#### Anomaly Detection Setup -Before you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". -- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml b/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml index fc98cc66a..ea9d9ea56 100644 --- a/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml +++ b/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml @@ -40,14 +40,8 @@ The Data Exfiltration Detection integration detects data exfiltration activity b #### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it. -- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets. - -#### Anomaly Detection Setup -Before you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". -- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml b/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml index 47b2a9d99..9511cf51e 100644 --- a/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml +++ b/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml @@ -40,32 +40,8 @@ The DGA Detection integration consists of an ML-based framework to detect DGA ac #### The following steps should be executed to install assets associated with the DGA Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it. -- Under Settings, click Install Domain Generation Algorithm Detection assets and follow the prompts to install the assets. - -#### Ingest Pipeline Setup -Before you can enable this rule, you'll need to enrich DNS events with predictions from the Supervised DGA Detection model. This is done via the ingest pipeline named `-ml_dga_ingest_pipeline` installed with the DGA Detection package. -- If using an Elastic Beat such as Packetbeat, add the DGA ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `packetbeat.yml`. -- If adding the DGA ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). - -#### Adding Custom Mappings -- Go to the Kibana homepage. Under Management, click Stack Management. -- Under Data click Index Management and navigate to the Component Templates tab. -- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the DGA ingest pipeline to, by pasting the following JSON blob in the "Load JSON" flyout: -``` -{ - "properties": { - "ml_is_dga": { - "properties": { - "malicious_prediction": { - "type": "long" - }, - "malicious_probability": { - "type": "float" - } - } - } - } -} +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Configure the ingest pipeline**. ``` """ severity = "critical" diff --git a/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml b/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml index 0830449ff..0832692eb 100644 --- a/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml +++ b/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml @@ -42,32 +42,8 @@ The DGA Detection integration consists of an ML-based framework to detect DGA ac #### The following steps should be executed to install assets associated with the DGA Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it. -- Under Settings, click Install Domain Generation Algorithm Detection assets and follow the prompts to install the assets. - -#### Ingest Pipeline Setup -Before you can enable this rule, you'll need to enrich DNS events with predictions from the Supervised DGA Detection model. This is done via the ingest pipeline named `-ml_dga_ingest_pipeline` installed with the DGA Detection package. -- If using an Elastic Beat such as Packetbeat, add the DGA ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `packetbeat.yml`. -- If adding the DGA ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). - -#### Adding Custom Mappings -- Go to the Kibana homepage. Under Management, click Stack Management. -- Under Data click Index Management and navigate to the Component Templates tab. -- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the DGA ingest pipeline to, by pasting the following JSON blob in the "Load JSON" flyout: -``` -{ - "properties": { - "ml_is_dga": { - "properties": { - "malicious_prediction": { - "type": "long" - }, - "malicious_probability": { - "type": "float" - } - } - } - } -} +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. ``` ### Anomaly Detection Setup diff --git a/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml b/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml index dca1fb0b3..5d7e802bb 100644 --- a/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml +++ b/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml @@ -40,32 +40,8 @@ The DGA Detection integration consists of an ML-based framework to detect DGA ac #### The following steps should be executed to install assets associated with the DGA Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it. -- Under Settings, click Install Domain Generation Algorithm Detection assets and follow the prompts to install the assets. - -#### Ingest Pipeline Setup -Before you can enable this rule, you'll need to enrich DNS events with predictions from the Supervised DGA Detection model. This is done via the ingest pipeline named `-ml_dga_ingest_pipeline` installed with the DGA Detection package. -- If using an Elastic Beat such as Packetbeat, add the DGA ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `packetbeat.yml`. -- If adding the DGA ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). - -#### Adding Custom Mappings -- Go to the Kibana homepage. Under Management, click Stack Management. -- Under Data click Index Management and navigate to the Component Templates tab. -- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the DGA ingest pipeline to, by pasting the following JSON blob in the "Load JSON" flyout: -``` -{ - "properties": { - "ml_is_dga": { - "properties": { - "malicious_prediction": { - "type": "long" - }, - "malicious_probability": { - "type": "float" - } - } - } - } -} +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Configure the ingest pipeline**. ``` """ severity = "low" diff --git a/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml b/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml index ef50f1011..d86110729 100644 --- a/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml +++ b/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml @@ -40,32 +40,8 @@ The DGA Detection integration consists of an ML-based framework to detect DGA ac #### The following steps should be executed to install assets associated with the DGA Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it. -- Under Settings, click Install Domain Generation Algorithm Detection assets and follow the prompts to install the assets. - -#### Ingest Pipeline Setup -Before you can enable this rule, you'll need to enrich DNS events with predictions from the Supervised DGA Detection model. This is done via the ingest pipeline named `-ml_dga_ingest_pipeline` installed with the DGA Detection package. -- If using an Elastic Beat such as Packetbeat, add the DGA ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `packetbeat.yml`. -- If adding the DGA ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). - -#### Adding Custom Mappings -- Go to the Kibana homepage. Under Management, click Stack Management. -- Under Data click Index Management and navigate to the Component Templates tab. -- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the DGA ingest pipeline to, by pasting the following JSON blob in the "Load JSON" flyout: -``` -{ - "properties": { - "ml_is_dga": { - "properties": { - "malicious_prediction": { - "type": "long" - }, - "malicious_probability": { - "type": "float" - } - } - } - } -} +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Configure the ingest pipeline**. ``` """ severity = "low" diff --git a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml index fdac1aa8b..34ee5a285 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml @@ -41,15 +41,8 @@ The Lateral Movement Detection integration detects lateral movement activity by #### The following steps should be executed to install assets associated with the Lateral Movement Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Lateral Movement Detection and select the integration to see more details about it. -- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets. - -#### Anomaly Detection Setup -Before you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs. -- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". -- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml index 619c08ec2..0b13d9e76 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml @@ -41,15 +41,8 @@ The Lateral Movement Detection integration detects lateral movement activity by #### The following steps should be executed to install assets associated with the Lateral Movement Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Lateral Movement Detection and select the integration to see more details about it. -- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets. - -#### Anomaly Detection Setup -Before you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs. -- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". -- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml b/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml index f2930aca5..910d0e198 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml @@ -42,14 +42,8 @@ The Lateral Movement Detection integration detects lateral movement activity by #### The following steps should be executed to install assets associated with the Lateral Movement Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Lateral Movement Detection and select the integration to see more details about it. -- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets. - -#### Anomaly Detection Setup -Before you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". -- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml b/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml index f2072d40f..9002606a3 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml @@ -41,15 +41,8 @@ The Lateral Movement Detection integration detects lateral movement activity by #### The following steps should be executed to install assets associated with the Lateral Movement Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Lateral Movement Detection and select the integration to see more details about it. -- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets. - -#### Anomaly Detection Setup -Before you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs. -- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". -- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml index 283fd1785..95486b7b1 100644 --- a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml +++ b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml @@ -41,14 +41,8 @@ The Lateral Movement Detection integration detects lateral movement activity by #### The following steps should be executed to install assets associated with the Lateral Movement Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Lateral Movement Detection and select the integration to see more details about it. -- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets. - -#### Anomaly Detection Setup -Before you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". -- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml index fad3bd17f..e652d49ae 100644 --- a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml +++ b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml @@ -40,14 +40,8 @@ The Lateral Movement Detection integration detects lateral movement activity by #### The following steps should be executed to install assets associated with the Lateral Movement Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Lateral Movement Detection and select the integration to see more details about it. -- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets. - -#### Anomaly Detection Setup -Before you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". -- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml index 0c1dccd6c..f2f1c6723 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml @@ -41,15 +41,8 @@ The Lateral Movement Detection integration detects lateral movement activity by #### The following steps should be executed to install assets associated with the Lateral Movement Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Lateral Movement Detection and select the integration to see more details about it. -- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets. - -#### Anomaly Detection Setup -Before you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs. -- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". -- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml index d3193f054..b155d1cd3 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml @@ -41,15 +41,8 @@ The Lateral Movement Detection integration detects lateral movement activity by #### The following steps should be executed to install assets associated with the Lateral Movement Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Lateral Movement Detection and select the integration to see more details about it. -- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets. - -#### Anomaly Detection Setup -Before you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs. -- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". -- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml index cdb15b8e9..6da8b35fb 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml @@ -40,15 +40,8 @@ The Lateral Movement Detection integration detects lateral movement activity by #### The following steps should be executed to install assets associated with the Lateral Movement Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Lateral Movement Detection and select the integration to see more details about it. -- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets. - -#### Anomaly Detection Setup -Before you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs. -- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". -- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml index 7abc56dfe..793014dff 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml @@ -42,14 +42,8 @@ The Lateral Movement Detection integration detects lateral movement activity by #### The following steps should be executed to install assets associated with the Lateral Movement Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Lateral Movement Detection and select the integration to see more details about it. -- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets. - -#### Anomaly Detection Setup -Before you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". -- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml b/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml index d16f9cba3..91706bb4f 100644 --- a/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml +++ b/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml @@ -41,15 +41,8 @@ The Lateral Movement Detection integration detects lateral movement activity by #### The following steps should be executed to install assets associated with the Lateral Movement Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Lateral Movement Detection and select the integration to see more details about it. -- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets. - -#### Anomaly Detection Setup -Before you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs. -- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". -- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml index 7a71526db..edab01552 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml @@ -42,43 +42,8 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi #### The following steps should be executed to install assets associated with the LotL Attack Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it. -- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets. - -#### Ingest Pipeline Setup -**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package. -- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`. -- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle "Include hidden indices"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline). - -#### Adding Custom Mappings -- Go to the Kibana homepage. Under Management, click Stack Management. -- Under Data click Index Management and navigate to the Component Templates tab. -- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the "Load JSON" flyout: -``` -{ - "properties": { - "problemchild": { - "properties": { - "prediction": { - "type": "long" - }, - "prediction_probability": { - "type": "float" - } - } - }, - "blocklist_label": { - "type": "long" - } - } -} -``` - -### Anomaly Detection Setup -**Before you can enable this rule**, you'll need to enable the corresponding Anomaly Detection job. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: If the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and check whether any ProblemChild predictions have been generated. -- Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml index eda57d043..f0725aa91 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml @@ -42,43 +42,8 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi #### The following steps should be executed to install assets associated with the LotL Attack Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it. -- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets. - -#### Ingest Pipeline Setup -**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package. -- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`. -- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle "Include hidden indices"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline). - -#### Adding Custom Mappings -- Go to the Kibana homepage. Under Management, click Stack Management. -- Under Data click Index Management and navigate to the Component Templates tab. -- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the "Load JSON" flyout: -``` -{ - "properties": { - "problemchild": { - "properties": { - "prediction": { - "type": "long" - }, - "prediction_probability": { - "type": "float" - } - } - }, - "blocklist_label": { - "type": "long" - } - } -} -``` - -### Anomaly Detection Setup -**Before you can enable this rule**, you'll need to enable the corresponding Anomaly Detection job. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet. -- Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml index c9039de7f..b61fba180 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml @@ -43,43 +43,8 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi #### The following steps should be executed to install assets associated with the LotL Attack Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it. -- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets. - -#### Ingest Pipeline Setup -**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package. -- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`. -- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle "Include hidden indices"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline). - -#### Adding Custom Mappings -- Go to the Kibana homepage. Under Management, click Stack Management. -- Under Data click Index Management and navigate to the Component Templates tab. -- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the "Load JSON" flyout: -``` -{ - "properties": { - "problemchild": { - "properties": { - "prediction": { - "type": "long" - }, - "prediction_probability": { - "type": "float" - } - } - }, - "blocklist_label": { - "type": "long" - } - } -} -``` - -### Anomaly Detection Setup -**Before you can enable this rule**, you'll need to enable the corresponding Anomaly Detection job. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet. -- Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml index 7b8a91cef..e2d62ad5d 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml @@ -40,35 +40,8 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi #### The following steps should be executed to install assets associated with the LotL Attack Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it. -- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets. - -#### Ingest Pipeline Setup -**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package. -- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`. -- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle "Include hidden indices"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline). - -#### Adding Custom Mappings -- Go to the Kibana homepage. Under Management, click Stack Management. -- Under Data click Index Management and navigate to the Component Templates tab. -- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the "Load JSON" flyout: -``` -{ - "properties": { - "problemchild": { - "properties": { - "prediction": { - "type": "long" - }, - "prediction_probability": { - "type": "float" - } - } - }, - "blocklist_label": { - "type": "long" - } - } -} +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Configure the ingest pipeline**. ``` """ severity = "low" diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml index c134556b6..54e016455 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml @@ -40,35 +40,8 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi #### The following steps should be executed to install assets associated with the LotL Attack Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it. -- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets. - -#### Ingest Pipeline Setup -**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package. -- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`. -- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle "Include hidden indices"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline). - -#### Adding Custom Mappings -- Go to the Kibana homepage. Under Management, click Stack Management. -- Under Data click Index Management and navigate to the Component Templates tab. -- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the "Load JSON" flyout: -``` -{ - "properties": { - "problemchild": { - "properties": { - "prediction": { - "type": "long" - }, - "prediction_probability": { - "type": "float" - } - } - }, - "blocklist_label": { - "type": "long" - } - } -} +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Configure the ingest pipeline**. ``` """ severity = "low" diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml index bfb17d0f2..cd4ee9187 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml @@ -44,43 +44,8 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi #### The following steps should be executed to install assets associated with the LotL Attack Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it. -- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets. - -#### Ingest Pipeline Setup -**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package. -- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`. -- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle "Include hidden indices"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline). - -#### Adding Custom Mappings -- Go to the Kibana homepage. Under Management, click Stack Management. -- Under Data click Index Management and navigate to the Component Templates tab. -- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the "Load JSON" flyout: -``` -{ - "properties": { - "problemchild": { - "properties": { - "prediction": { - "type": "long" - }, - "prediction_probability": { - "type": "float" - } - } - }, - "blocklist_label": { - "type": "long" - } - } -} -``` - -### Anomaly Detection Setup -**Before you can enable this rule**, you'll need to enable the corresponding Anomaly Detection job. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet. -- Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml index f8a89d0a9..9b7646f30 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml @@ -44,43 +44,8 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi #### The following steps should be executed to install assets associated with the LotL Attack Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it. -- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets. - -#### Ingest Pipeline Setup -**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package. -- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`. -- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle "Include hidden indices"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline). - -#### Adding Custom Mappings -- Go to the Kibana homepage. Under Management, click Stack Management. -- Under Data click Index Management and navigate to the Component Templates tab. -- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the "Load JSON" flyout: -``` -{ - "properties": { - "problemchild": { - "properties": { - "prediction": { - "type": "long" - }, - "prediction_probability": { - "type": "float" - } - } - }, - "blocklist_label": { - "type": "long" - } - } -} -``` - -### Anomaly Detection Setup -**Before you can enable this rule**, you'll need to enable the corresponding Anomaly Detection job. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet. -- Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml index 98ff98440..8e2533acf 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml @@ -44,43 +44,8 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi #### The following steps should be executed to install assets associated with the LotL Attack Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it. -- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets. - -#### Ingest Pipeline Setup -**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package. -- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`. -- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle "Include hidden indices"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline). - -#### Adding Custom Mappings -- Go to the Kibana homepage. Under Management, click Stack Management. -- Under Data click Index Management and navigate to the Component Templates tab. -- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the "Load JSON" flyout: -``` -{ - "properties": { - "problemchild": { - "properties": { - "prediction": { - "type": "long" - }, - "prediction_probability": { - "type": "float" - } - } - }, - "blocklist_label": { - "type": "long" - } - } -} -``` - -### Anomaly Detection Setup -**Before you can enable this rule**, you'll need to enable the corresponding Anomaly Detection job. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet. -- Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [