From e57cf31867bd074098cae6a52d606d86310aa32d Mon Sep 17 00:00:00 2001
From: Bobby Filar <29960025+bfilar@users.noreply.github.com>
Date: Fri, 20 May 2022 15:02:27 -0500
Subject: [PATCH] Modifying rules assoc w/ deprecation of v2 ML jobs (#1846)

* modifying rules assoc w/ deprecation of v2 ML jobs

* modified updated_date field

* fixed machine_learning_job_id and added min_stack_version

* replacing rest of deprecated jobs with new naming convention

* Update ml_suspicious_login_activity.toml

* removing rules assoc w/ deprecated ML jobs

* Update rules/ml/ml_linux_anomalous_compiler_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/ml/ml_linux_anomalous_compiler_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* updated ml job rules to reflect 8.3 changes

* updating min_stack_version for ml detection rules

Co-authored-by: Craig Chamberlain <randomuserid@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Apoorva Joshi <30438249+ajosh0504@users.noreply.github.com>

Removed changes from:
- rules/ml/ml_linux_anomalous_compiler_activity.toml
- rules/ml/ml_linux_anomalous_metadata_process.toml
- rules/ml/ml_linux_anomalous_metadata_user.toml
- rules/ml/ml_linux_anomalous_network_activity.toml
- rules/ml/ml_linux_anomalous_network_port_activity.toml
- rules/ml/ml_linux_anomalous_process_all_hosts.toml
- rules/ml/ml_linux_anomalous_sudo_activity.toml
- rules/ml/ml_linux_anomalous_user_name.toml
- rules/ml/ml_linux_system_information_discovery.toml
- rules/ml/ml_linux_system_network_configuration_discovery.toml
- rules/ml/ml_linux_system_network_connection_discovery.toml
- rules/ml/ml_linux_system_process_discovery.toml
- rules/ml/ml_linux_system_user_discovery.toml
- rules/ml/ml_rare_process_by_host_linux.toml
- rules/ml/ml_rare_process_by_host_windows.toml
- rules/ml/ml_suspicious_login_activity.toml
- rules/ml/ml_windows_anomalous_metadata_process.toml
- rules/ml/ml_windows_anomalous_metadata_user.toml
- rules/ml/ml_windows_anomalous_network_activity.toml
- rules/ml/ml_windows_anomalous_path_activity.toml
- rules/ml/ml_windows_anomalous_process_all_hosts.toml
- rules/ml/ml_windows_anomalous_process_creation.toml
- rules/ml/ml_windows_anomalous_script.toml
- rules/ml/ml_windows_anomalous_service.toml
- rules/ml/ml_windows_anomalous_user_name.toml
- rules/ml/ml_windows_rare_user_runas_event.toml
- rules/ml/ml_windows_rare_user_type10_remote_login.toml

(selectively cherry picked from commit 9a739b7e4c8e1b87a3f065be3ae966261e018fe1)
---
 ...nux_anomalous_kernel_module_arguments.toml | 46 -------------------
 .../ml_linux_anomalous_network_service.toml   | 25 ----------
 ..._linux_anomalous_network_url_activity.toml | 33 -------------
 3 files changed, 104 deletions(-)
 delete mode 100644 rules/ml/ml_linux_anomalous_kernel_module_arguments.toml
 delete mode 100644 rules/ml/ml_linux_anomalous_network_service.toml
 delete mode 100644 rules/ml/ml_linux_anomalous_network_url_activity.toml

diff --git a/rules/ml/ml_linux_anomalous_kernel_module_arguments.toml b/rules/ml/ml_linux_anomalous_kernel_module_arguments.toml
deleted file mode 100644
index 8762da02f..000000000
--- a/rules/ml/ml_linux_anomalous_kernel_module_arguments.toml
+++ /dev/null
@@ -1,46 +0,0 @@
-[metadata]
-creation_date = "2020/09/03"
-maturity = "production"
-updated_date = "2021/08/25"
-
-[rule]
-anomaly_threshold = 25
-author = ["Elastic"]
-description = """
-Looks for unusual kernel module activity. Kernel modules are sometimes used by malware and persistence mechanisms for
-stealth.
-"""
-false_positives = [
-    """
-    A Linux host running unusual device drivers or other kinds of kernel modules could trigger this detection.
-    Troubleshooting or debugging activity using unusual arguments could also trigger this detection.
-    """,
-]
-from = "now-45m"
-interval = "15m"
-license = "Elastic License v2"
-machine_learning_job_id = "linux_rare_kernel_module_arguments"
-name = "Anomalous Kernel Module Activity"
-risk_score = 21
-rule_id = "37b0816d-af40-40b4-885f-bb162b3c88a9"
-severity = "low"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML"]
-type = "machine_learning"
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1547"
-name = "Boot or Logon Autostart Execution"
-reference = "https://attack.mitre.org/techniques/T1547/"
-[[rule.threat.technique.subtechnique]]
-id = "T1547.006"
-name = "Kernel Modules and Extensions"
-reference = "https://attack.mitre.org/techniques/T1547/006/"
-
-
-
-[rule.threat.tactic]
-id = "TA0003"
-name = "Persistence"
-reference = "https://attack.mitre.org/tactics/TA0003/"
-
diff --git a/rules/ml/ml_linux_anomalous_network_service.toml b/rules/ml/ml_linux_anomalous_network_service.toml
deleted file mode 100644
index db8f67fce..000000000
--- a/rules/ml/ml_linux_anomalous_network_service.toml
+++ /dev/null
@@ -1,25 +0,0 @@
-[metadata]
-creation_date = "2020/03/25"
-maturity = "production"
-updated_date = "2021/03/03"
-
-[rule]
-anomaly_threshold = 50
-author = ["Elastic"]
-description = """
-Identifies unusual listening ports on Linux instances that can indicate execution of unauthorized services, backdoors,
-or persistence mechanisms.
-"""
-false_positives = ["A newly installed program or one that rarely uses the network could trigger this alert."]
-from = "now-45m"
-interval = "15m"
-license = "Elastic License v2"
-machine_learning_job_id = "linux_anomalous_network_service"
-name = "Unusual Linux Network Service"
-references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
-risk_score = 21
-rule_id = "52afbdc5-db15-596e-bc35-f5707f820c4b"
-severity = "low"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML"]
-type = "machine_learning"
-
diff --git a/rules/ml/ml_linux_anomalous_network_url_activity.toml b/rules/ml/ml_linux_anomalous_network_url_activity.toml
deleted file mode 100644
index af83c72b8..000000000
--- a/rules/ml/ml_linux_anomalous_network_url_activity.toml
+++ /dev/null
@@ -1,33 +0,0 @@
-[metadata]
-creation_date = "2020/03/25"
-maturity = "production"
-updated_date = "2021/03/03"
-
-[rule]
-anomaly_threshold = 50
-author = ["Elastic"]
-description = """
-A machine learning job detected an unusual web URL request from a Linux host, which can indicate malware delivery and
-execution. Wget and cURL are commonly used by Linux programs to download code and data. Most of the time, their usage is
-entirely normal. Generally, because they use a list of URLs, they repeatedly download from the same locations. However,
-Wget and cURL are sometimes used to deliver Linux exploit payloads, and threat actors use these tools to download
-additional software and code. For these reasons, unusual URLs can indicate unauthorized downloads or threat activity.
-"""
-false_positives = [
-    """
-    A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting
-    could trigger this alert.
-    """,
-]
-from = "now-45m"
-interval = "15m"
-license = "Elastic License v2"
-machine_learning_job_id = "linux_anomalous_network_url_activity_ecs"
-name = "Unusual Linux Web Activity"
-references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
-risk_score = 21
-rule_id = "52afbdc5-db15-485e-bc35-f5707f820c4c"
-severity = "low"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML"]
-type = "machine_learning"
-