security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update ProblemChild detection rules with High and Low probability (#4000)

Browse Source 
* Updated ProblemChild detection rules
This commit is contained in:
Kirti Sodhi
2024-08-22 09:17:41 -04:00
committed by GitHub
parent b6b6f6b482
commit dfbf86e853
2 changed files with 8 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml
+3 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2023/10/16"
integration = ["problemchild", "endpoint", "windows"]
maturity = "production"
updated_date = "2024/08/07"
updated_date = "2024/08/21"
[rule]
author = ["Elastic"]
@@ -21,7 +21,7 @@ references = [
"https://docs.elastic.co/en/integrations/problemchild",
"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration",
]
risk_score = 21
risk_score = 73
rule_id = "994e40aa-8c85-43de-825e-15f665375ee8"
setup = """## Setup
@@ -43,7 +43,7 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi
- Follow the instructions under the **Installation** section.
- For this rule to work, complete the instructions through **Configure the ingest pipeline**.
"""
severity = "low"
severity = "high"
tags = [
"OS: Windows",
"Data Source: Elastic Endgame",
rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml → rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml
+5 -4
View File
@@ -2,12 +2,12 @@
creation_date = "2023/10/16"
integration = ["problemchild", "endpoint"]
maturity = "production"
updated_date = "2024/08/07"
updated_date = "2024/08/21"
[rule]
author = ["Elastic"]
description = """
A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high
A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with low
probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being
malicious.
"""
@@ -15,7 +15,7 @@ from = "now-10m"
index = ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"]
language = "eql"
license = "Elastic License v2"
name = "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity"
name = "Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score"
references = [
"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
"https://docs.elastic.co/en/integrations/problemchild",
@@ -57,7 +57,8 @@ timestamp_override = "event.ingested"
type = "eql"
query = '''
process where (problemchild.prediction == 1 or blocklist_label == 1) and not process.args : ("*C:\\WINDOWS\\temp\\nessus_*.txt*", "*C:\\WINDOWS\\temp\\nessus_*.tmp*")
process where ((problemchild.prediction == 1 and problemchild.prediction_probability <= 0.98) or
blocklist_label == 1) and not process.args : ("*C:\\WINDOWS\\temp\\nessus_*.txt*", "*C:\\WINDOWS\\temp\\nessus_*.tmp*")
'''