[New Rule] Add detection rules for auth ML jobs (#1283)

* Adding detection rules for auth ML jobs

* name prefix

added the prefix "auth" to the file names

* Added descriptions

* Adding new lines and updating license

* FP text

added FP metadata

Co-authored-by: Craig <mailredirector36@gmail.com>

rules/ml/ml_auth_rare_hour_for_a_user_to_logon.toml

@@ -0,0 +1,26 @@
+[metadata]
+creation_date = "2021/06/10"
+maturity = "production"
+updated_date = "2021/06/10"
+
+[rule]
+anomaly_threshold = 75
+author = ["Elastic"]
+description = """
+A machine learning job detected a user logging in at a time of day that is unusual for the user. This can be due to
+credentialed access via a compromised account when the user and the threat actor are in different time zones. In
+addition, unauthorized user activity often takes place during non-business hours.
+"""
+false_positives = ["Users working late, or logging in from unusual time zones while traveling, may trigger this rule."]
+from = "now-30m"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "auth_rare_hour_for_a_user"
+name = "Unusual Hour for a User to Logon"
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
+risk_score = 21
+rule_id = "745b0119-0560-43ba-860a-7235dd8cee8d"
+severity = "low"
+tags = ["Elastic", "Authentication", "Threat Detection", "ML"]
+type = "machine_learning"
+

rules/ml/ml_auth_rare_source_ip_for_a_user.toml

@@ -0,0 +1,27 @@
+[metadata]
+creation_date = "2021/06/10"
+maturity = "production"
+updated_date = "2021/06/10"
+
+[rule]
+anomaly_threshold = 75
+author = ["Elastic"]
+description = """
+A machine learning job detected a user logging in from an IP address that is unusual for the user. This can be due to
+credentialed access via a compromised account when the user and the threat actor are in different locations. An unusual
+source IP address for a username could also be due to lateral movement when a compromised account is used to pivot
+between hosts.
+"""
+false_positives = ["Business travelers who roam to new locations may trigger this alert."]
+from = "now-30m"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "auth_rare_source_ip_for_a_user"
+name = "Unusual Source IP for a User to Logon from"
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
+risk_score = 21
+rule_id = "d4b73fa0-9d43-465e-b8bf-50230da6718b"
+severity = "low"
+tags = ["Elastic", "Authentication", "Threat Detection", "ML"]
+type = "machine_learning"
+

rules/ml/ml_auth_rare_user_logon.toml

@@ -0,0 +1,34 @@
+[metadata]
+creation_date = "2021/06/10"
+maturity = "production"
+updated_date = "2021/06/10"
+
+[rule]
+anomaly_threshold = 75
+author = ["Elastic"]
+description = """
+A machine learning job found an unusual user name in the authentication logs. An unusual user name is one way of
+detecting credentialed access by means of a new or dormant user account. A user account that is normally inactive,
+because the user has left the organization, which becomes active, may be due to credentialed access using a compromised
+account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web
+application.
+"""
+false_positives = [
+    """
+    User accounts that are rarely active, such as an SRE or developer logging into a prod server for troubleshooting,
+    may trigger this alert. Under some conditions, a newly created user account may briefly trigger this alert while the
+    model is learning.
+    """,
+]
+from = "now-30m"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "auth_rare_user"
+name = "Rare User Logon"
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
+risk_score = 21
+rule_id = "138c5dd5-838b-446e-b1ac-c995c7f8108a"
+severity = "low"
+tags = ["Elastic", "Authentication", "Threat Detection", "ML"]
+type = "machine_learning"
+

rules/ml/ml_auth_spike_in_failed_logon_events.toml

@@ -0,0 +1,31 @@
+[metadata]
+creation_date = "2021/06/10"
+maturity = "production"
+updated_date = "2021/06/10"
+
+[rule]
+anomaly_threshold = 75
+author = ["Elastic"]
+description = """
+A machine learning job found an unusually large spike in authentication failure events. This can be due to password
+spraying, user enumeration or brute force activity and may be a precursor to account takeover or credentialed access.
+"""
+false_positives = [
+    """
+    A misconfigured service account can trigger this alert. A password change on ana account used by an email client can
+    trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this
+    alert.
+    """,
+]
+from = "now-30m"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "auth_high_count_logon_fails"
+name = "Spike in Failed Logon Events"
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
+risk_score = 21
+rule_id = "99dcf974-6587-4f65-9252-d866a3fdfd9c"
+severity = "low"
+tags = ["Elastic", "Authentication", "Threat Detection", "ML"]
+type = "machine_learning"
+

rules/ml/ml_auth_spike_in_logon_events.toml

@@ -0,0 +1,30 @@
+[metadata]
+creation_date = "2021/06/10"
+maturity = "production"
+updated_date = "2021/06/10"
+
+[rule]
+anomaly_threshold = 75
+author = ["Elastic"]
+description = """
+A machine learning job found an unusually large spike in successful authentication events. This can be due to password
+spraying, user enumeration or brute force activity.
+"""
+false_positives = [
+    """
+    Build servers and CI systems can sometimes trigger this alert. Security test cycles that include brute force or
+    password spraying activities may trigger this alert.
+    """,
+]
+from = "now-30m"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "auth_high_count_logon_events"
+name = "Spike in Logon Events"
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
+risk_score = 21
+rule_id = "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9"
+severity = "low"
+tags = ["Elastic", "Authentication", "Threat Detection", "ML"]
+type = "machine_learning"
+

rules/ml/ml_auth_spike_in_logon_events_from_a_source_ip.toml

@@ -0,0 +1,30 @@
+[metadata]
+creation_date = "2021/06/10"
+maturity = "production"
+updated_date = "2021/06/10"
+
+[rule]
+anomaly_threshold = 75
+author = ["Elastic"]
+description = """
+A machine learning job found an unusually large spike in successful authentication events events from a particular
+source IP address. This can be due to password spraying, user enumeration or brute force activity.
+"""
+false_positives = [
+    """
+    Build servers and CI systems can sometimes trigger this alert. Security test cycles that include brute force or
+    password spraying activities may trigger this alert.
+    """,
+]
+from = "now-30m"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "auth_high_count_logon_events_for_a_source_ip"
+name = "Spike in Logon Events from a Source IP"
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
+risk_score = 21
+rule_id = "e26aed74-c816-40d3-a810-48d6fbd8b2fd"
+severity = "low"
+tags = ["Elastic", "Authentication", "Threat Detection", "ML"]
+type = "machine_learning"
+