Update terminology in ML job rules
This commit is contained in:
Devon Kerr
@@ -14,14 +14,13 @@ activity can denote process exploitation or injection, where the process is used
|
||||
allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network
|
||||
applications.
|
||||
"""
|
||||
false_positives = ["A newly installed program or one that rarely uses the network could trigger this signal."]
|
||||
from = "now-45m"
|
||||
interval = "15m"
|
||||
license = "Elastic License"
|
||||
machine_learning_job_id = "linux_anomalous_network_activity_ecs"
|
||||
name = "Unusual Linux Network Activity"
|
||||
note = """### Investigating Unusual Network Activity ###
|
||||
Signals from this rule indicate the presence of network activity from a Linux process for which network activity is rare and unusual. Here are some possible avenues of investigation:
|
||||
Detection alerts from this rule indicate the presence of network activity from a Linux process for which network activity is rare and unusual. Here are some possible avenues of investigation:
|
||||
- Consider the IP addresses and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?
|
||||
- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.
|
||||
- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?
|
||||
|
||||
@@ -12,7 +12,7 @@ Identifies unusual destination port activity that can indicate command-and-contr
|
||||
exfiltration activity. Rarely used destination port activity is generally unusual in Linux fleets, and can indicate
|
||||
unauthorized access or threat actor activity.
|
||||
"""
|
||||
false_positives = ["A newly installed program or one that rarely uses the network could trigger this signal."]
|
||||
false_positives = ["A newly installed program or one that rarely uses the network could trigger this alert."]
|
||||
from = "now-45m"
|
||||
interval = "15m"
|
||||
license = "Elastic License"
|
||||
|
||||
@@ -11,7 +11,7 @@ description = """
|
||||
Identifies unusual listening ports on Linux instances that can indicate execution of unauthorized services, backdoors,
|
||||
or persistence mechanisms.
|
||||
"""
|
||||
false_positives = ["A newly installed program or one that rarely uses the network could trigger this signal."]
|
||||
false_positives = ["A newly installed program or one that rarely uses the network could trigger this alert."]
|
||||
from = "now-45m"
|
||||
interval = "15m"
|
||||
license = "Elastic License"
|
||||
|
||||
@@ -17,7 +17,7 @@ additional software and code. For these reasons, unusual URLs can indicate unaut
|
||||
false_positives = [
|
||||
"""
|
||||
A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting
|
||||
could trigger this signal.
|
||||
could trigger this alert.
|
||||
""",
|
||||
]
|
||||
from = "now-45m"
|
||||
|
||||
@@ -15,7 +15,7 @@ to all or many hosts in a fleet.
|
||||
false_positives = [
|
||||
"""
|
||||
A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this
|
||||
signal.
|
||||
alert.
|
||||
""",
|
||||
]
|
||||
from = "now-45m"
|
||||
@@ -24,7 +24,7 @@ license = "Elastic License"
|
||||
machine_learning_job_id = "linux_anomalous_process_all_hosts_ecs"
|
||||
name = "Anomalous Process For a Linux Population"
|
||||
note = """### Investigating an Unusual Linux Process ###
|
||||
Signals from this rule indicate the presence of a Linux process that is rare and unusual for all of the monitored Linux hosts for which Auditbeat data is available. Here are some possible avenues of investigation:
|
||||
Detection alerts from this rule indicate the presence of a Linux process that is rare and unusual for all of the monitored Linux hosts for which Auditbeat data is available. Here are some possible avenues of investigation:
|
||||
- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?
|
||||
- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.
|
||||
- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing."""
|
||||
|
||||
@@ -29,7 +29,7 @@ license = "Elastic License"
|
||||
machine_learning_job_id = "linux_anomalous_user_name_ecs"
|
||||
name = "Unusual Linux Username"
|
||||
note = """### Investigating an Unusual Linux User ###
|
||||
Signals from this rule indicate activity for a Linux user name that is rare and unusual. Here are some possible avenues of investigation:
|
||||
Detection alerts from this rule indicate activity for a Linux user name that is rare and unusual. Here are some possible avenues of investigation:
|
||||
- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to troubleshooting or debugging activity by a developer or site reliability engineer?
|
||||
- Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.
|
||||
- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing."""
|
||||
|
||||
@@ -16,7 +16,7 @@ data.
|
||||
false_positives = [
|
||||
"""
|
||||
DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger
|
||||
this signal and such parent domains can be excluded.
|
||||
this alert and such parent domains can be excluded.
|
||||
""",
|
||||
]
|
||||
from = "now-45m"
|
||||
|
||||
@@ -17,9 +17,9 @@ uses for command-and-control communication.
|
||||
false_positives = [
|
||||
"""
|
||||
A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this
|
||||
signal. Network activity that occurs rarely, in small quantities, can trigger this signal. Possible examples are
|
||||
alert. Network activity that occurs rarely, in small quantities, can trigger this alert. Possible examples are
|
||||
browsing technical support or vendor networks sparsely. A user who visits a new or unique web destination may
|
||||
trigger this signal.
|
||||
trigger this alert.
|
||||
""",
|
||||
]
|
||||
from = "now-45m"
|
||||
|
||||
@@ -16,9 +16,9 @@ command-and-control communication.
|
||||
"""
|
||||
false_positives = [
|
||||
"""
|
||||
Web activity that occurs rarely in small quantities can trigger this signal. Possible examples are browsing
|
||||
Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing
|
||||
technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may
|
||||
trigger this signal when the activity is sparse. Web applications that generate URLs unique to a transaction may
|
||||
trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may
|
||||
trigger this when they are used sparsely. Web domains can be excluded in cases such as these.
|
||||
""",
|
||||
]
|
||||
|
||||
@@ -19,9 +19,9 @@ which are part of common Internet background traffic.
|
||||
"""
|
||||
false_positives = [
|
||||
"""
|
||||
Web activity that occurs rarely in small quantities can trigger this signal. Possible examples are browsing
|
||||
Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing
|
||||
technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may
|
||||
trigger this signal when the activity is sparse. Web applications that generate URLs unique to a transaction may
|
||||
trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may
|
||||
trigger this when they are used sparsely. Web domains can be excluded in cases such as these.
|
||||
""",
|
||||
]
|
||||
|
||||
@@ -19,8 +19,8 @@ activity.
|
||||
"""
|
||||
false_positives = [
|
||||
"""
|
||||
Web activity that is uncommon, like security scans, may trigger this signal and may need to be excluded. A new or
|
||||
rarely used program that calls web services may trigger this signal.
|
||||
Web activity that is uncommon, like security scans, may trigger this alert and may need to be excluded. A new or
|
||||
rarely used program that calls web services may trigger this alert.
|
||||
""",
|
||||
]
|
||||
from = "now-45m"
|
||||
|
||||
@@ -15,7 +15,7 @@ with other processes running on the host.
|
||||
false_positives = [
|
||||
"""
|
||||
A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this
|
||||
signal.
|
||||
alert.
|
||||
""",
|
||||
]
|
||||
from = "now-45m"
|
||||
@@ -24,7 +24,7 @@ license = "Elastic License"
|
||||
machine_learning_job_id = "rare_process_by_host_linux_ecs"
|
||||
name = "Unusual Process For a Linux Host"
|
||||
note = """### Investigating an Unusual Linux Process ###
|
||||
Signals from this rule indicate the presence of a Linux process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:
|
||||
Detection alerts from this rule indicate the presence of a Linux process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:
|
||||
- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?
|
||||
- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.
|
||||
- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing."""
|
||||
|
||||
@@ -15,7 +15,7 @@ with other processes running on the host.
|
||||
false_positives = [
|
||||
"""
|
||||
A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this
|
||||
signal.
|
||||
alert.
|
||||
""",
|
||||
]
|
||||
from = "now-45m"
|
||||
@@ -24,7 +24,7 @@ license = "Elastic License"
|
||||
machine_learning_job_id = "rare_process_by_host_windows_ecs"
|
||||
name = "Unusual Process For a Windows Host"
|
||||
note = """### Investigating an Unusual Windows Process ###
|
||||
Signals from this rule indicate the presence of a Windows process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:
|
||||
Detection alerts from this rule indicate the presence of a Windows process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:
|
||||
- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?
|
||||
- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.
|
||||
- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package.
|
||||
|
||||
@@ -10,8 +10,8 @@ author = ["Elastic"]
|
||||
description = "Identifies an unusually high number of authentication attempts."
|
||||
false_positives = [
|
||||
"""
|
||||
Security audits may trigger this signal. Conditions that generate bursts of failed logins, such as misconfigured
|
||||
applications or account lockouts could trigger this signal.
|
||||
Security audits may trigger this alert. Conditions that generate bursts of failed logins, such as misconfigured
|
||||
applications or account lockouts could trigger this alert.
|
||||
""",
|
||||
]
|
||||
from = "now-45m"
|
||||
|
||||
@@ -14,14 +14,14 @@ network activity can denote process exploitation or injection, where the process
|
||||
that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized
|
||||
network applications.
|
||||
"""
|
||||
false_positives = ["A newly installed program or one that rarely uses the network could trigger this signal."]
|
||||
false_positives = ["A newly installed program or one that rarely uses the network could trigger this alert."]
|
||||
from = "now-45m"
|
||||
interval = "15m"
|
||||
license = "Elastic License"
|
||||
machine_learning_job_id = "windows_anomalous_network_activity_ecs"
|
||||
name = "Unusual Windows Network Activity"
|
||||
note = """### Investigating Unusual Network Activity ###
|
||||
Signals from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual. Here are some possible avenues of investigation:
|
||||
Detection alerts from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual. Here are some possible avenues of investigation:
|
||||
- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?
|
||||
- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.
|
||||
- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?
|
||||
|
||||
@@ -16,8 +16,8 @@ a user downloaded software directly from the Internet or a malicious script or m
|
||||
false_positives = [
|
||||
"""
|
||||
A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting
|
||||
could trigger this signal. Users downloading and running programs from unusual locations, such as temporary
|
||||
directories, browser caches, or profile paths could trigger this signal.
|
||||
could trigger this alert. Users downloading and running programs from unusual locations, such as temporary
|
||||
directories, browser caches, or profile paths could trigger this alert.
|
||||
""",
|
||||
]
|
||||
from = "now-45m"
|
||||
|
||||
@@ -15,7 +15,7 @@ or many hosts in a fleet.
|
||||
false_positives = [
|
||||
"""
|
||||
A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this
|
||||
signal.
|
||||
alert.
|
||||
""",
|
||||
]
|
||||
from = "now-45m"
|
||||
@@ -24,10 +24,10 @@ license = "Elastic License"
|
||||
machine_learning_job_id = "windows_anomalous_process_all_hosts_ecs"
|
||||
name = "Anomalous Process For a Windows Population"
|
||||
note = """### Investigating an Unusual Windows Process ###
|
||||
Signals from this rule indicate the presence of a Windows process that is rare and unusual for all of the Windows hosts for which Winlogbeat data is available. Here are some possible avenues of investigation:
|
||||
Detection alerts from this rule indicate the presence of a Windows process that is rare and unusual for all of the Windows hosts for which Winlogbeat data is available. Here are some possible avenues of investigation:
|
||||
- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?
|
||||
- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.
|
||||
- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package.
|
||||
- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package.
|
||||
- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.
|
||||
- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.
|
||||
- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. """
|
||||
@@ -37,4 +37,3 @@ rule_id = "6e40d56f-5c0e-4ac6-aece-bee96645b172"
|
||||
severity = "low"
|
||||
tags = ["Elastic", "ML", "Windows"]
|
||||
type = "machine_learning"
|
||||
|
||||
|
||||
@@ -17,9 +17,9 @@ a method of detecting new and emerging malware that is not yet recognized by ant
|
||||
"""
|
||||
false_positives = [
|
||||
"""
|
||||
Users running scripts in the course of technical support operations of software upgrades could trigger this signal.
|
||||
Users running scripts in the course of technical support operations of software upgrades could trigger this alert.
|
||||
A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this
|
||||
signal.
|
||||
alert.
|
||||
""",
|
||||
]
|
||||
from = "now-45m"
|
||||
|
||||
@@ -13,8 +13,8 @@ a characteristic of malicious PowerShell script text blocks.
|
||||
"""
|
||||
false_positives = [
|
||||
"""
|
||||
Certain kinds of security testing may trigger this signal. PowerShell scripts that use high levels of obfuscation or
|
||||
have unusual script block payloads may trigger this signal.
|
||||
Certain kinds of security testing may trigger this alert. PowerShell scripts that use high levels of obfuscation or
|
||||
have unusual script block payloads may trigger this alert.
|
||||
""",
|
||||
]
|
||||
from = "now-45m"
|
||||
|
||||
@@ -15,7 +15,7 @@ services. This job helps detect malware and persistence mechanisms that have bee
|
||||
false_positives = [
|
||||
"""
|
||||
A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this
|
||||
signal.
|
||||
alert.
|
||||
""",
|
||||
]
|
||||
from = "now-45m"
|
||||
|
||||
@@ -29,7 +29,7 @@ license = "Elastic License"
|
||||
machine_learning_job_id = "windows_anomalous_user_name_ecs"
|
||||
name = "Unusual Windows Username"
|
||||
note = """### Investigating an Unusual Windows User ###
|
||||
Signals from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation:
|
||||
Detection alerts from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation:
|
||||
- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity?
|
||||
- Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.
|
||||
- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.
|
||||
|
||||
@@ -24,7 +24,7 @@ license = "Elastic License"
|
||||
machine_learning_job_id = "windows_rare_user_type10_remote_login"
|
||||
name = "Unusual Windows Remote User"
|
||||
note = """### Investigating an Unusual Windows User ###
|
||||
Signals from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:
|
||||
Detection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:
|
||||
- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user?
|
||||
- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?"""
|
||||
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
|
||||
|
||||
Reference in New Issue
Block a user