security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ML-ProblemChild-20210602-1
sigma-rules/docs/experimental-machine-learning/problem-child.md
T
Justin Ibarra 0ec8d67e78 Refactor experimental ML CLI and code (#1218) 
* move github and ml to their own files
* refactor release and ml commands
* update ML readmes
* add unzip_to_dict function
* prompt for model ID in remove-model
* update experimental rule upload process
* update remove-scripts-pipelines to take multiple options

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Apoorva <appujo@gmail.com>
2021-06-02 20:37:12 -08:00

2.3 KiB
Raw Permalink Blame History

ProblemChild in the Elastic Stack

ProblemChild helps detect anomalous activity in Windows process events by:

  1. Classifying events as malicious vs benign
  2. Identifying anomalous events based on rare parent-child process relationships

An end-to-end blog on how to build the ProblemChild framework from scratch for your environment can be found here.

You can also find some supplementary material for the blog and examples here

We also released a blog about getting started with ProblemChild using the CLI and Kibana:

  • [ProblemChild Release Blog](link to blog)

Note: in order to use these ML features, you must have a platinum or higher subscription Note: the ML features are considered experimental in Kibana as well as this rules CLI

Detailed steps

1. Upload and setup the model file and dependencies

Run python -m detection_rules es <args_or_config> experimental ml setup -t <release-tag>

If updating a new model, you should first uninstall any existing models using remove-model

You can also upload files locally using the -d option, so long as the naming convention of the files match the expected pattern for the filenames.

2. Update index pipeline configuration

You will need to update your index (containing Windows process event data) settings to point to the ProblemChild enrichment pipeline.

You can do this by running the following command in your Dev Tools console:

PUT your-index-pattern/_settings
{
  "index": {
    "default_pipeline": "ML_ProblemChild_ingest_pipeline"
  }
}

If you wish to stop enriching your documents using ProblemChild, run the following command in your dev Tools console:

PUT your-index-pattern/_settings
{
  "index": {
    "default_pipeline": null
  }
}

3. Refresh your indexes

You can optionally choose to refresh your index mapping from within Kibana:

  • Navigate to Stack Management > (Kibana) Index Patterns
  • Select the appropriate indexes
  • Click refresh field list

4. Verify enrichment fields

Any documents corresponding to Windows process events should now be enriched with problemchild.*

Reference in New Issue View Git Blame Copy Permalink