From 97ff7fb26e9145b439b24da3073d21547c6816fe Mon Sep 17 00:00:00 2001
From: Apoorva Joshi <30438249+ajosh0504@users.noreply.github.com>
Date: Sat, 14 Oct 2023 10:23:48 -0700
Subject: [PATCH] [New Rule] Adding Data Exfiltration Rules from Advanced
 Analytic DED Package (#3126)

* Adding DED rules

* adding integration manifests and schemas for DED

* Updating min stack version

* updating manifests and schemas to match main

* added setup note; updated references

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
---
 ...ytes_destination_geo_country_iso_code.toml | 52 ++++++++++++++++++
 ...ltration_ml_high_bytes_destination_ip.toml | 52 ++++++++++++++++++
 ...ration_ml_high_bytes_destination_port.toml | 51 ++++++++++++++++++
 ...ml_high_bytes_destination_region_name.toml | 52 ++++++++++++++++++
 ...high_bytes_written_to_external_device.toml | 52 ++++++++++++++++++
 ...es_written_to_external_device_airdrop.toml | 53 +++++++++++++++++++
 ...re_process_writing_to_external_device.toml | 52 ++++++++++++++++++
 7 files changed, 364 insertions(+)
 create mode 100644 rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml
 create mode 100644 rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml
 create mode 100644 rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml
 create mode 100644 rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml
 create mode 100644 rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml
 create mode 100644 rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml
 create mode 100644 rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml

diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml
new file mode 100644
index 000000000..4e9710e76
--- /dev/null
+++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml
@@ -0,0 +1,52 @@
+[metadata]
+creation_date = "2023/09/22"
+integration = ["ded"]
+maturity = "production"
+min_stack_comments = "New rule"
+min_stack_version = "8.9.0"
+updated_date = "2023/10/14"
+
+[rule]
+anomaly_threshold = 75
+author = ["Elastic"]
+description = """
+A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to
+geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command
+and control channels.
+"""
+from = "now-6h"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "ded_high_sent_bytes_destination_geo_country_iso_code"
+name = "Potential Data Exfiltration Activity to an Unusual ISO Code"
+note = """## Setup
+
+The Data Exfiltration Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.
+"""
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/ded"
+]
+risk_score = 21
+rule_id = "e1db8899-97c1-4851-8993-3a3265353601"
+severity = "low"
+tags = [
+    "Use Case: Data Exfiltration Detection",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+    "Tactic: Exfiltration",
+]
+type = "machine_learning"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1041"
+name = "Exfiltration Over C2 Channel"
+reference = "https://attack.mitre.org/techniques/T1041/"
+
+
+[rule.threat.tactic]
+id = "TA0010"
+name = "Exfiltration"
+reference = "https://attack.mitre.org/tactics/TA0010/"
+
diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml
new file mode 100644
index 000000000..1bba24f12
--- /dev/null
+++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml
@@ -0,0 +1,52 @@
+[metadata]
+creation_date = "2023/09/22"
+integration = ["ded"]
+maturity = "production"
+min_stack_comments = "New rule"
+min_stack_version = "8.9.0"
+updated_date = "2023/10/14"
+
+[rule]
+anomaly_threshold = 75
+author = ["Elastic"]
+description = """
+A machine learning job has detected data exfiltration to a particular geo-location (by IP address). Data transfers to
+geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command
+and control channels.
+"""
+from = "now-6h"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "ded_high_sent_bytes_destination_ip"
+name = "Potential Data Exfiltration Activity to an Unusual IP Address"
+note = """## Setup
+
+The Data Exfiltration Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.
+"""
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/ded"
+]
+risk_score = 21
+rule_id = "cc653d77-ddd2-45b1-9197-c75ad19df66c"
+severity = "low"
+tags = [
+    "Use Case: Data Exfiltration Detection",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+    "Tactic: Exfiltration",
+]
+type = "machine_learning"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1041"
+name = "Exfiltration Over C2 Channel"
+reference = "https://attack.mitre.org/techniques/T1041/"
+
+
+[rule.threat.tactic]
+id = "TA0010"
+name = "Exfiltration"
+reference = "https://attack.mitre.org/tactics/TA0010/"
+
diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml
new file mode 100644
index 000000000..b1af3e632
--- /dev/null
+++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml
@@ -0,0 +1,51 @@
+[metadata]
+creation_date = "2023/09/22"
+integration = ["ded"]
+maturity = "production"
+min_stack_comments = "New rule"
+min_stack_version = "8.9.0"
+updated_date = "2023/10/14"
+
+[rule]
+anomaly_threshold = 75
+author = ["Elastic"]
+description = """
+A machine learning job has detected data exfiltration to a particular destination port. Data transfer patterns that are
+outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels.
+"""
+from = "now-6h"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "ded_high_sent_bytes_destination_port"
+name = "Potential Data Exfiltration Activity to an Unusual Destination Port"
+note = """## Setup
+
+The Data Exfiltration Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.
+"""
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/ded"
+]
+risk_score = 21
+rule_id = "ef8cc01c-fc49-4954-a175-98569c646740"
+severity = "low"
+tags = [
+    "Use Case: Data Exfiltration Detection",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+    "Tactic: Exfiltration",
+]
+type = "machine_learning"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1041"
+name = "Exfiltration Over C2 Channel"
+reference = "https://attack.mitre.org/techniques/T1041/"
+
+
+[rule.threat.tactic]
+id = "TA0010"
+name = "Exfiltration"
+reference = "https://attack.mitre.org/tactics/TA0010/"
+
diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml
new file mode 100644
index 000000000..8692fed9a
--- /dev/null
+++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml
@@ -0,0 +1,52 @@
+[metadata]
+creation_date = "2023/09/22"
+integration = ["ded"]
+maturity = "production"
+min_stack_comments = "New rule"
+min_stack_version = "8.9.0"
+updated_date = "2023/10/14"
+
+[rule]
+anomaly_threshold = 75
+author = ["Elastic"]
+description = """
+A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to
+geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command
+and control channels.
+"""
+from = "now-6h"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "ded_high_sent_bytes_destination_region_name"
+name = "Potential Data Exfiltration Activity to an Unusual Region"
+note = """## Setup
+
+The Data Exfiltration Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.
+"""
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/ded"
+]
+risk_score = 21
+rule_id = "bfba5158-1fd6-4937-a205-77d96213b341"
+severity = "low"
+tags = [
+    "Use Case: Data Exfiltration Detection",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+    "Tactic: Exfiltration",
+]
+type = "machine_learning"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1041"
+name = "Exfiltration Over C2 Channel"
+reference = "https://attack.mitre.org/techniques/T1041/"
+
+
+[rule.threat.tactic]
+id = "TA0010"
+name = "Exfiltration"
+reference = "https://attack.mitre.org/tactics/TA0010/"
+
diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml
new file mode 100644
index 000000000..36e40ec6a
--- /dev/null
+++ b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml
@@ -0,0 +1,52 @@
+[metadata]
+creation_date = "2023/09/22"
+integration = ["ded"]
+maturity = "production"
+min_stack_comments = "New rule"
+min_stack_version = "8.9.0"
+updated_date = "2023/10/14"
+
+[rule]
+anomaly_threshold = 75
+author = ["Elastic"]
+description = """
+A machine learning job has detected high bytes of data written to an external device. In a typical operational setting,
+there is usually a predictable pattern or a certain range of data that is written to external devices. An unusually
+large amount of data being written is anomalous and can signal illicit data copying or transfer activities.
+"""
+from = "now-2h"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "ded_high_bytes_written_to_external_device"
+name = "Spike in Bytes Sent to an External Device"
+note = """## Setup
+
+The Data Exfiltration Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.
+"""
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/ded"
+]
+risk_score = 21
+rule_id = "35a3b253-eea8-46f0-abd3-68bdd47e6e3d"
+severity = "low"
+tags = [
+    "Use Case: Data Exfiltration Detection",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+    "Tactic: Exfiltration",
+]
+type = "machine_learning"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1052"
+name = "Exfiltration Over Physical Medium"
+reference = "https://attack.mitre.org/techniques/T1052/"
+
+
+[rule.threat.tactic]
+id = "TA0010"
+name = "Exfiltration"
+reference = "https://attack.mitre.org/tactics/TA0010/"
+
diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml
new file mode 100644
index 000000000..aafcbc007
--- /dev/null
+++ b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml
@@ -0,0 +1,53 @@
+[metadata]
+creation_date = "2023/09/22"
+integration = ["ded"]
+maturity = "production"
+min_stack_comments = "New rule"
+min_stack_version = "8.9.0"
+updated_date = "2023/10/14"
+
+[rule]
+anomaly_threshold = 75
+author = ["Elastic"]
+description = """
+A machine learning job has detected high bytes of data written to an external device via Airdrop. In a typical
+operational setting, there is usually a predictable pattern or a certain range of data that is written to external
+devices. An unusually large amount of data being written is anomalous and can signal illicit data copying or transfer
+activities.
+"""
+from = "now-2h"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "ded_high_bytes_written_to_external_device_airdrop"
+name = "Spike in Bytes Sent to an External Device via Airdrop"
+note = """## Setup
+
+The Data Exfiltration Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.
+"""
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/ded"
+]
+risk_score = 21
+rule_id = "e92c99b6-c547-4bb6-b244-2f27394bc849"
+severity = "low"
+tags = [
+    "Use Case: Data Exfiltration Detection",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+    "Tactic: Exfiltration",
+]
+type = "machine_learning"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1011"
+name = "Exfiltration Over Other Network Medium"
+reference = "https://attack.mitre.org/techniques/T1011/"
+
+
+[rule.threat.tactic]
+id = "TA0010"
+name = "Exfiltration"
+reference = "https://attack.mitre.org/tactics/TA0010/"
+
diff --git a/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml b/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml
new file mode 100644
index 000000000..10a537763
--- /dev/null
+++ b/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml
@@ -0,0 +1,52 @@
+[metadata]
+creation_date = "2023/09/22"
+integration = ["ded"]
+maturity = "production"
+min_stack_comments = "New rule"
+min_stack_version = "8.9.0"
+updated_date = "2023/10/14"
+
+[rule]
+anomaly_threshold = 75
+author = ["Elastic"]
+description = """
+A machine learning job has detected a rare process writing data to an external device. Malicious actors often use
+benign-looking processes to mask their data exfiltration activities. The discovery of such a process that has no
+legitimate reason to write data to external devices can indicate exfiltration.
+"""
+from = "now-2h"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "ded_rare_process_writing_to_external_device"
+name = "Unusual Process Writing Data to an External Device"
+note = """## Setup
+
+The Data Exfiltration Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.
+"""
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/ded"
+]
+risk_score = 21
+rule_id = "4b95ecea-7225-4690-9938-2a2c0bad9c99"
+severity = "low"
+tags = [
+    "Use Case: Data Exfiltration Detection",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+    "Tactic: Exfiltration",
+]
+type = "machine_learning"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1052"
+name = "Exfiltration Over Physical Medium"
+reference = "https://attack.mitre.org/techniques/T1052/"
+
+
+[rule.threat.tactic]
+id = "TA0010"
+name = "Exfiltration"
+reference = "https://attack.mitre.org/tactics/TA0010/"
+