security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0d4db2ecfecedda763363fa5f46ed5829db709f1
sigma-rules/docs-dev/experimental-machine-learning/problem-child.md
T
Sergey Polzunov 3bdda091e1 chore: use docs-dev instead of docs dir for docs (#4522) 
* chore: use `docs-dev` instead of `docs` folder

* patch version bump

* Rollback an incorrect rename

* Use exact docs dir in the helper comment

* Revert some overeager renamings

* Moving `docs` to `docs-dev`

* Update Docs Paths

---------

Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
2025-03-07 14:34:51 +01:00

2.7 KiB
Raw Blame History

The setup instructions in this document have been deprecated. Please follow the steps outlined in this blog to enable Living off the Land (LotL) detection in your environment.

ProblemChild in the Elastic Stack

ProblemChild helps detect anomalous activity in Windows process events by:

  1. Classifying events as malicious vs benign
  2. Identifying anomalous events based on rare parent-child process relationships

An end-to-end blog on how to build the ProblemChild framework from scratch for your environment can be found here.

You can also find some supplementary material for the blog and examples here

We also released a blog about getting started with ProblemChild using the CLI and Kibana:

  • [ProblemChild Release Blog](link to blog)

Note: in order to use these ML features, you must have a platinum or higher subscription Note: the ML features are considered experimental in Kibana as well as this rules CLI

Detailed steps

1. Upload and setup the model file and dependencies

Run python -m detection_rules es <args_or_config> experimental ml setup -t <release-tag>

If updating a new model, you should first uninstall any existing models using remove-model

You can also upload files locally using the -d option, so long as the naming convention of the files match the expected pattern for the filenames.

2. Update index pipeline configuration

You will need to update your index (containing Windows process event data) settings to point to the ProblemChild enrichment pipeline.

You can do this by running the following command in your Dev Tools console:

PUT your-index-pattern/_settings
{
  "index": {
    "default_pipeline": "ML_ProblemChild_ingest_pipeline"
  }
}

If you wish to stop enriching your documents using ProblemChild, run the following command in your dev Tools console:

PUT your-index-pattern/_settings
{
  "index": {
    "default_pipeline": null
  }
}

3. Refresh your indexes

You can optionally choose to refresh your index mapping from within Kibana:

  • Navigate to Stack Management > (Kibana) Index Patterns
  • Select the appropriate indexes
  • Click refresh field list

4. Verify enrichment fields

Any documents corresponding to Windows process events should now be enriched with problemchild.*. By default, the enrichment pipeline also consists of a script processor for a blocklist, so you might also see the field blocklist_label appear in documents that match the blocklist.

Reference in New Issue View Git Blame Copy Permalink