From dfbf86e85322dd5fa6e06d512dc599a1b23a09a6 Mon Sep 17 00:00:00 2001 From: Kirti Sodhi <109447885+sodhikirti07@users.noreply.github.com> Date: Thu, 22 Aug 2024 09:17:41 -0400 Subject: [PATCH] Update ProblemChild detection rules with High and Low probability (#4000) * Updated ProblemChild detection rules --- ...ion_ml_suspicious_windows_event_high_probability.toml | 6 +++--- ...ion_ml_suspicious_windows_event_low_probability.toml} | 9 +++++---- 2 files changed, 8 insertions(+), 7 deletions(-) rename rules/integrations/problemchild/{defense_evasion_ml_suspicious_windows_event.toml => defense_evasion_ml_suspicious_windows_event_low_probability.toml} (88%) diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml index 74da2a7dc..9ada6eca8 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/08/21" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ references = [ "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", ] -risk_score = 21 +risk_score = 73 rule_id = "994e40aa-8c85-43de-825e-15f665375ee8" setup = """## Setup @@ -43,7 +43,7 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi - Follow the instructions under the **Installation** section. - For this rule to work, complete the instructions through **Configure the ingest pipeline**. """ -severity = "low" +severity = "high" tags = [ "OS: Windows", "Data Source: Elastic Endgame", diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml similarity index 88% rename from rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml rename to rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml index 089b7ea53..12ba9cd1c 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml @@ -2,12 +2,12 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/08/21" [rule] author = ["Elastic"] description = """ -A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high +A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with low probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious. """ @@ -15,7 +15,7 @@ from = "now-10m" index = ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" -name = "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity" +name = "Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", @@ -57,7 +57,8 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where (problemchild.prediction == 1 or blocklist_label == 1) and not process.args : ("*C:\\WINDOWS\\temp\\nessus_*.txt*", "*C:\\WINDOWS\\temp\\nessus_*.tmp*") +process where ((problemchild.prediction == 1 and problemchild.prediction_probability <= 0.98) or +blocklist_label == 1) and not process.args : ("*C:\\WINDOWS\\temp\\nessus_*.txt*", "*C:\\WINDOWS\\temp\\nessus_*.tmp*") '''