security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
83406d8ce10ce477de61e381a9bbe727efe76fd7
sigma-rules/docs-dev/experimental-machine-learning/problem-child.md
T
Sergey Polzunov 3bdda091e1 chore: use docs-dev instead of docs dir for docs (#4522) 
* chore: use `docs-dev` instead of `docs` folder

* patch version bump

* Rollback an incorrect rename

* Use exact docs dir in the helper comment

* Revert some overeager renamings

* Moving `docs` to `docs-dev`

* Update Docs Paths

---------

Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
2025-03-07 14:34:51 +01:00

66 lines
2.7 KiB
Markdown
Raw Blame History

**The setup instructions in this document have been deprecated. Please follow the steps outlined in [this](https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration) blog to enable Living off the Land (LotL) detection in your environment.**
# ProblemChild in the Elastic Stack
ProblemChild helps detect anomalous activity in Windows process events by:
1) Classifying events as malicious vs benign
2) Identifying anomalous events based on rare parent-child process relationships
An end-to-end blog on how to build the ProblemChild framework from scratch for your environment can be found [here](https://www.elastic.co/blog/problemchild-detecting-living-off-the-land-attacks).
You can also find some supplementary material for the blog and examples [here](https://github.com/elastic/examples/tree/master/Machine%20Learning/ProblemChild)
We also released a blog about getting started with ProblemChild using the CLI and Kibana:
* [ProblemChild Release Blog](link to blog)
*Note: in order to use these ML features, you must have a platinum or higher [subscription](https://www.elastic.co/subscriptions)*
*Note: the ML features are considered experimental in Kibana as well as this rules CLI*
## Detailed steps
#### 1. Upload and setup the model file and dependencies
Run `python -m detection_rules es <args_or_config> experimental ml setup -t <release-tag>`
*If updating a new model, you should first uninstall any existing models using `remove-model`*
You can also upload files locally using the `-d` option, so long as the naming convention of the files match the
expected pattern for the filenames.
#### 2. Update index pipeline configuration
You will need to update your index (containing Windows process event data) settings to point to the ProblemChild enrichment pipeline.
You can do this by running the following command in your Dev Tools console:
```
PUT your-index-pattern/_settings
{
"index": {
"default_pipeline": "ML_ProblemChild_ingest_pipeline"
}
}
```
If you wish to stop enriching your documents using ProblemChild, run the following command in your dev Tools console:
```
PUT your-index-pattern/_settings
{
"index": {
"default_pipeline": null
}
}
```
#### 3. Refresh your indexes
You can optionally choose to refresh your index mapping from within Kibana:
* Navigate to `Stack Management > (Kibana) Index Patterns`
* Select the appropriate indexes
* Click `refresh field list`
#### 4. Verify enrichment fields
Any documents corresponding to Windows process events should now be enriched with `problemchild.*`. By default, the enrichment pipeline also consists of a script processor for a blocklist, so you might also see the field `blocklist_label` appear in documents that match the blocklist.
Reference in New Issue View Git Blame Copy Permalink