security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8e240f9e793d7c24942e4bbe9c8bfceca8d03136
sigma-rules/rules/ml/persistence_ml_rare_process_by_host_linux.toml
T
Justin Ibarra 46d5e37b76 min_stack all rules to 8.3 (#2259) 
* min_stack all rules to 8.3

* bump date

Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co>
2022-08-24 10:38:49 -06:00

58 lines
2.4 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/03/25"
maturity = "production"
updated_date = "2022/08/24"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
[rule]
anomaly_threshold = 50
author = ["Elastic"]
description = """
Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized
services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared
with other processes running on the host.
"""
false_positives = [
"""
A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this
alert.
""",
]
from = "now-45m"
interval = "15m"
license = "Elastic License v2"
machine_learning_job_id = ["v3_rare_process_by_host_linux"]
name = "Unusual Process For a Linux Host"
note = """## Triage and analysis
### Investigating an Unusual Linux Process
Detection alerts from this rule indicate the presence of a Linux process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:
- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?
- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.
- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing."""
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "46f804f5-b289-43d6-a881-9387cf594f75"
severity = "low"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML", "Persistence"]
type = "machine_learning"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
reference = "https://attack.mitre.org/techniques/T1543/"
[[rule.threat.technique.subtechnique]]
id = "T1543.003"
name = "Windows Service"
reference = "https://attack.mitre.org/techniques/T1543/003/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
Reference in New Issue View Git Blame Copy Permalink