shashank-elastic
56 lines
1.5 KiB
TOML
56 lines
1.5 KiB
TOML
[metadata]
|
|
creation_date = "2020/09/03"
|
|
integration = ["auditd_manager", "endpoint"]
|
|
maturity = "production"
|
|
updated_date = "2024/05/21"
|
|
|
|
[rule]
|
|
anomaly_threshold = 50
|
|
author = ["Elastic"]
|
|
description = """
|
|
Looks for compiler activity by a user context which does not normally run compilers. This can be the result of ad-hoc
|
|
software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run
|
|
exploits or malware activity.
|
|
"""
|
|
false_positives = [
|
|
"""
|
|
Uncommon compiler activity can be due to an engineer running a local build on a production or staging instance in
|
|
the course of troubleshooting or fixing a software issue.
|
|
""",
|
|
]
|
|
from = "now-45m"
|
|
interval = "15m"
|
|
license = "Elastic License v2"
|
|
machine_learning_job_id = ["v3_linux_rare_user_compiler"]
|
|
name = "Anomalous Linux Compiler Activity"
|
|
risk_score = 21
|
|
rule_id = "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530"
|
|
severity = "low"
|
|
tags = [
|
|
"Domain: Endpoint",
|
|
"OS: Linux",
|
|
"Use Case: Threat Detection",
|
|
"Rule Type: ML",
|
|
"Rule Type: Machine Learning",
|
|
"Tactic: Resource Development",
|
|
]
|
|
type = "machine_learning"
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1588"
|
|
name = "Obtain Capabilities"
|
|
reference = "https://attack.mitre.org/techniques/T1588/"
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1588.001"
|
|
name = "Malware"
|
|
reference = "https://attack.mitre.org/techniques/T1588/001/"
|
|
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0042"
|
|
name = "Resource Development"
|
|
reference = "https://attack.mitre.org/tactics/TA0042/"
|
|
|