github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 17:59:23 -04:00
Code Issues Projects Releases Packages Wiki Activity

[ML] Adding new jobs to siem module (#43783) (#44365)

Browse source 
* [ML] Adding new jobs to siem module

* updating descriptions

* removing new jobs

* updating manifests

* adding updated modules

* updating queries

* fixing detector

* updating job descriptions

* updating datafeed ids

* changing duplicate description

* changing match for term

* adding (beta) to descriptions
This commit is contained in:
James Gowdy 2019-08-29 13:47:57 +01:00 committed by GitHub
parent 69b1794567
commit 32a9fcd163
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
30 changed files with 980 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

64
x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat_ecs/manifest.json
View file

@ -23,24 +23,78 @@
},
"jobs": [
{
"id": "rare_process_linux_ecs",
"file": "rare_process_linux_ecs.json"
"id": "rare_process_by_host_linux_ecs",
"file": "rare_process_by_host_linux_ecs.json"
},
{
"id": "suspicious_login_activity_ecs",
"file": "suspicious_login_activity_ecs.json"
},
{
"id": "linux_anomalous_network_activity",
"file": "linux_anomalous_network_activity.json"
},
{
"id": "linux_anomalous_network_port_activity",
"file": "linux_anomalous_network_port_activity.json"
},
{
"id": "linux_anomalous_network_service",
"file": "linux_anomalous_network_service.json"
},
{
"id": "linux_anomalous_network_url_activity",
"file": "linux_anomalous_network_url_activity.json"
},
{
"id": "linux_anomalous_process_all_hosts",
"file": "linux_anomalous_process_all_hosts.json"
},
{
"id": "linux_anomalous_user_name",
"file": "linux_anomalous_user_name.json"
}
],
"datafeeds": [
{
"id": "datafeed-rare_process_linux_ecs",
"file": "datafeed_rare_process_linux_ecs.json",
"job_id": "rare_process_linux_ecs"
"id": "datafeed-rare_process_by_host_linux_ecs",
"file": "datafeed_rare_process_by_host_linux_ecs.json",
"job_id": "rare_process_by_host_linux_ecs"
},
{
"id": "datafeed-suspicious_login_activity_ecs",
"file": "datafeed_suspicious_login_activity_ecs.json",
"job_id": "suspicious_login_activity_ecs"
},
{
"id": "datafeed-linux_anomalous_network_activity",
"file": "datafeed_linux_anomalous_network_activity.json",
"job_id": "linux_anomalous_network_activity"
},
{
"id": "datafeed-linux_anomalous_network_port_activity",
"file": "datafeed_linux_anomalous_network_port_activity.json",
"job_id": "linux_anomalous_network_port_activity"
},
{
"id": "datafeed-linux_anomalous_network_service",
"file": "datafeed_linux_anomalous_network_service.json",
"job_id": "linux_anomalous_network_service"
},
{
"id": "datafeed-linux_anomalous_network_url_activity",
"file": "datafeed_linux_anomalous_network_url_activity.json",
"job_id": "linux_anomalous_network_url_activity"
},
{
"id": "datafeed-linux_anomalous_process_all_hosts",
"file": "datafeed_linux_anomalous_process_all_hosts.json",
"job_id": "linux_anomalous_process_all_hosts"
},
{
"id": "datafeed-linux_anomalous_user_name",
"file": "datafeed_linux_anomalous_user_name.json",
"job_id": "linux_anomalous_user_name"
}
]
}

24
x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat_ecs/ml/datafeed_linux_anomalous_network_activity.json Normal file
View file

@ -0,0 +1,24 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"query": {
"bool": {
"filter": [
{"term": {"event.action": "connected-to"}}
],
"must_not": [
{
"bool": {
"should": [
{"term": {"destination.ip": "127.0.0.1"}},
{"term": {"destination.ip": "127.0.0.53"}},
{"term": {"destination.ip": "::1"}}
]
}
}
]
}
}
}

25
x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat_ecs/ml/datafeed_linux_anomalous_network_port_activity.json Normal file
View file

@ -0,0 +1,25 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"query": {
"bool": {
"filter": [
{"term": {"event.action": "connected-to"}}
],
"must_not": [
{
"bool": {
"should": [
{"term": {"destination.ip":"::1"}},
{"term": {"destination.ip":"127.0.0.1"}},
{"term": {"destination.ip":"::"}},
{"term": {"user.name_map.uid":"jenkins"}}
]
}
}
]
}
}
}

24
x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat_ecs/ml/datafeed_linux_anomalous_network_service.json Normal file
View file

@ -0,0 +1,24 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"query": {
"bool": {
"filter": [
{"term": {"event.action": "bound-socket"}}
],
"must_not": [
{
"bool": {
"should": [
{"term": {"process.name": "dnsmasq"}},
{"term": {"process.name": "docker-proxy"}},
{"term": {"process.name": "rpcinfo"}}
]
}
}
]
}
}
}

25
x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat_ecs/ml/datafeed_linux_anomalous_network_url_activity.json Normal file
View file

@ -0,0 +1,25 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"query": {
"bool":{
"filter": [
{"exists": {"field": "destination.ip"}},
{"terms": {"process.name": ["curl", "wget"]}}
],
"must_not":[
{
"bool":{
"should":[
{"term":{"destination.ip": "::1"}},
{"term":{"destination.ip": "127.0.0.1"}},
{"term":{"destination.ip":"169.254.169.254"}}
]
}
}
]
}
}
}

25
x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat_ecs/ml/datafeed_linux_anomalous_process_all_hosts.json Normal file
View file

@ -0,0 +1,25 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"query": {
"bool": {
"filter": [
{"term": {"event.action": "executed"}}
],
"must_not": [
{
"bool": {
"should": [
{"term": {"user.name": "jenkins-worker"}},
{"term": {"user.name": "jenkins-user"}},
{"term": {"user.name": "jenkins"}},
{"wildcard": {"process.name": {"wildcard": "jenkins*"}}}
]
}
}
]
}
}
}

13
x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat_ecs/ml/datafeed_linux_anomalous_user_name.json Normal file
View file

@ -0,0 +1,13 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"query": {
"bool": {
"filter": [
{"term": {"event.action":"executed"}}
]
}
}
}

0
x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat_ecs/ml/datafeed_rare_process_linux_ecs.json → x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat_ecs/ml/datafeed_rare_process_by_host_linux_ecs.json
View file

51
x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat_ecs/ml/linux_anomalous_network_activity.json Normal file
View file

@ -0,0 +1,51 @@
{
"job_type": "anomaly_detector",
"description": "SIEM Auditbeat: Looks for unusual processes using the network which could indicate command-and-control, lateral movement, persistence, or data exfiltration activity (beta)",
"groups": [
"siem"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"process.name\"",
"function": "rare",
"by_field_name": "process.name"
}
],
"influencers": [
"host.name",
"process.name",
"user.name",
"destination.ip"
]
},
"analysis_limits": {
"model_memory_limit": "64mb"
},
"data_description": {
"time_field": "@timestamp",
"time_format": "epoch_ms"
},
"custom_settings": {
"created_by": "ml-module-siem-auditbeat",
"custom_urls": [
{
"url_name": "Host Details by process name",
"url_value": "siem#/ml-hosts/$host.name$?_g=()&kqlQuery=(filterQuery:(expression:'process.name%20:%20%22$process.name$%22',kind:kuery),queryLocation:hosts.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Host Details by user name",
"url_value": "siem#/ml-hosts/$host.name$?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:hosts.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by process name",
"url_value": "siem#/ml-hosts?_g=()&kqlQuery=(filterQuery:(expression:'process.name%20:%20%22$process.name$%22',kind:kuery),queryLocation:hosts.page,type:page)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by user name",
"url_value": "siem#/ml-hosts?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:hosts.page,type:page)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
}
]
}
}

51
x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat_ecs/ml/linux_anomalous_network_port_activity.json Normal file
View file

@ -0,0 +1,51 @@
{
"job_type": "anomaly_detector",
"description": "SIEM Auditbeat: Looks for unusual destination port activity that could indicate command-and-control, persistence mechanism, or data exfiltration activity (beta)",
"groups": [
"siem"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"destination.port\"",
"function": "rare",
"by_field_name": "destination.port"
}
],
"influencers": [
"host.name",
"process.name",
"user.name",
"destination.ip"
]
},
"analysis_limits": {
"model_memory_limit": "32mb"
},
"data_description": {
"time_field": "@timestamp",
"time_format": "epoch_ms"
},
"custom_settings": {
"created_by": "ml-module-siem-auditbeat",
"custom_urls": [
{
"url_name": "Host Details by process name",
"url_value": "siem#/ml-hosts/$host.name$?_g=()&kqlQuery=(filterQuery:(expression:'process.name%20:%20%22$process.name$%22',kind:kuery),queryLocation:hosts.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Host Details by user name",
"url_value": "siem#/ml-hosts/$host.name$?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:hosts.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by process name",
"url_value": "siem#/ml-hosts?_g=()&kqlQuery=(filterQuery:(expression:'process.name%20:%20%22$process.name$%22',kind:kuery),queryLocation:hosts.page,type:page)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by user name",
"url_value": "siem#/ml-hosts?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:hosts.page,type:page)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
}
]
}
}

50
x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat_ecs/ml/linux_anomalous_network_service.json Normal file
View file

@ -0,0 +1,50 @@
{
"job_type": "anomaly_detector",
"groups": [
"siem"
],
"description": "SIEM Auditbeat: Looks for unusual listening ports that could indicate execution of unauthorized services, backdoors, or persistence mechanisms (beta)",
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"auditd.data.socket.port\"",
"function": "rare",
"by_field_name": "auditd.data.socket.port"
}
],
"influencers": [
"host.name",
"process.name",
"user.name"
]
},
"analysis_limits": {
"model_memory_limit": "128mb"
},
"data_description": {
"time_field": "@timestamp",
"time_format": "epoch_ms"
},
"custom_settings": {
"created_by": "ml-module-siem-auditbeat",
"custom_urls": [
{
"url_name": "Host Details by process name",
"url_value": "siem#/ml-hosts/$host.name$?_g=()&kqlQuery=(filterQuery:(expression:'process.name%20:%20%22$process.name$%22',kind:kuery),queryLocation:hosts.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Host Details by user name",
"url_value": "siem#/ml-hosts/$host.name$?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:hosts.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by process name",
"url_value": "siem#/ml-hosts?_g=()&kqlQuery=(filterQuery:(expression:'process.name%20:%20%22$process.name$%22',kind:kuery),queryLocation:hosts.page,type:page)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by user name",
"url_value": "siem#/ml-hosts?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:hosts.page,type:page)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
}
]
}
}

38
x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat_ecs/ml/linux_anomalous_network_url_activity.json Normal file
View file

@ -0,0 +1,38 @@
{
"job_type": "anomaly_detector",
"groups": [
"siem"
],
"description": "SIEM Auditbeat: Looks for an unusual web URL request from a Linux instance. Curl and wget web request activity is very common but unusual web requests from a Linux server can sometimes be malware delivery or execution (beta)",
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"process.title\"",
"function": "rare",
"by_field_name": "process.title"
}
],
"influencers": [
"host.name",
"destination.ip",
"destination.port"
]
},
"analysis_limits": {
"model_memory_limit": "32mb"
},
"data_description": {
"time_field": "@timestamp",
"time_format": "epoch_ms"
},
"custom_settings": {
"created_by": "ml-module-siem-auditbeat",
"custom_urls": [
{
"url_name": "Host Details",
"url_value": "siem#/ml-hosts/$host.name$?_g=()&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
}
]
}
}

50
x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat_ecs/ml/linux_anomalous_process_all_hosts.json Normal file
View file

@ -0,0 +1,50 @@
{
"job_type": "anomaly_detector",
"description": "SIEM Auditbeat: Looks for processes that are unusual to all Linux hosts. Such unusual processes may indicate unauthorized services, malware, or persistence mechanisms (beta)",
"groups": [
"siem"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"process.name\"",
"function": "rare",
"by_field_name": "process.name"
}
],
"influencers": [
"host.name",
"process.name",
"user.name"
]
},
"analysis_limits": {
"model_memory_limit": "512mb"
},
"data_description": {
"time_field": "@timestamp",
"time_format": "epoch_ms"
},
"custom_settings": {
"created_by": "ml-module-siem-auditbeat",
"custom_urls": [
{
"url_name": "Host Details by process name",
"url_value": "siem#/ml-hosts/$host.name$?_g=()&kqlQuery=(filterQuery:(expression:'process.name%20:%20%22$process.name$%22',kind:kuery),queryLocation:hosts.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Host Details by user name",
"url_value": "siem#/ml-hosts/$host.name$?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:hosts.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by process name",
"url_value": "siem#/ml-hosts?_g=()&kqlQuery=(filterQuery:(expression:'process.name%20:%20%22$process.name$%22',kind:kuery),queryLocation:hosts.page,type:page)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by user name",
"url_value": "siem#/ml-hosts?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:hosts.page,type:page)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
}
]
}
}

50
x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat_ecs/ml/linux_anomalous_user_name.json Normal file
View file

@ -0,0 +1,50 @@
{
"job_type": "anomaly_detector",
"groups": [
"siem"
],
"description": "SIEM Auditbeat: Rare and unusual users that are not normally active may indicate unauthorized changes or activity by an unauthorized user which may be credentialed access or lateral movement (beta)",
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"user.name\"",
"function": "rare",
"by_field_name": "user.name"
}
],
"influencers": [
"host.name",
"process.name",
"user.name"
]
},
"analysis_limits": {
"model_memory_limit": "32mb"
},
"data_description": {
"time_field": "@timestamp",
"time_format": "epoch_ms"
},
"custom_settings": {
"created_by": "ml-module-siem-auditbeat",
"custom_urls": [
{
"url_name": "Host Details by process name",
"url_value": "siem#/ml-hosts/$host.name$?_g=()&kqlQuery=(filterQuery:(expression:'process.name%20:%20%22$process.name$%22',kind:kuery),queryLocation:hosts.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Host Details by user name",
"url_value": "siem#/ml-hosts/$host.name$?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:hosts.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by process name",
"url_value": "siem#/ml-hosts?_g=()&kqlQuery=(filterQuery:(expression:'process.name%20:%20%22$process.name$%22',kind:kuery),queryLocation:hosts.page,type:page)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by user name",
"url_value": "siem#/ml-hosts?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:hosts.page,type:page)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
}
]
}
}

0
x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat_ecs/ml/rare_process_linux_ecs.json → x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat_ecs/ml/rare_process_by_host_linux_ecs.json
View file

49
x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat_ecs/manifest.json
View file

@ -17,6 +17,27 @@
{
"id": "rare_process_windows_ecs",
"file": "rare_process_windows_ecs.json"
}, {
"id": "windows_anomalous_network_activity",
"file": "windows_anomalous_network_activity.json"
}, {
"id": "windows_anomalous_path_activity",
"file": "windows_anomalous_path_activity.json"
}, {
"id": "windows_anomalous_process_all_hosts",
"file": "windows_anomalous_process_all_hosts.json"
}, {
"id": "windows_anomalous_process_creation",
"file": "windows_anomalous_process_creation.json"
}, {
"id": "windows_anomalous_script",
"file": "windows_anomalous_script.json"
}, {
"id": "windows_anomalous_service",
"file": "windows_anomalous_service.json"
}, {
"id": "windows_anomalous_user_name",
"file": "windows_anomalous_user_name.json"
}
],
"datafeeds": [
@ -24,6 +45,34 @@
"id": "datafeed-rare_process_windows_ecs",
"file": "datafeed_rare_process_windows_ecs.json",
"job_id": "rare_process_windows_ecs"
}, {
"id": "datafeed-windows_anomalous_network_activity",
"file": "datafeed_windows_anomalous_network_activity.json",
"job_id": "windows_anomalous_network_activity"
}, {
"id": "datafeed-windows_anomalous_path_activity",
"file": "datafeed_windows_anomalous_path_activity.json",
"job_id": "windows_anomalous_path_activity"
}, {
"id": "datafeed-windows_anomalous_process_all_hosts",
"file": "datafeed_windows_anomalous_process_all_hosts.json",
"job_id": "windows_anomalous_process_all_hosts"
}, {
"id": "datafeed-windows_anomalous_process_creation",
"file": "datafeed_windows_anomalous_process_creation.json",
"job_id": "windows_anomalous_process_creation"
}, {
"id": "datafeed-windows_anomalous_script",
"file": "datafeed_windows_anomalous_script.json",
"job_id": "windows_anomalous_script"
}, {
"id": "datafeed-windows_anomalous_service",
"file": "datafeed_windows_anomalous_service.json",
"job_id": "windows_anomalous_service"
}, {
"id": "datafeed-windows_anomalous_user_name",
"file": "datafeed_windows_anomalous_user_name.json",
"job_id": "windows_anomalous_user_name"
}
]
}

24
x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat_ecs/ml/datafeed_windows_anomalous_network_activity.json Normal file
View file

@ -0,0 +1,24 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"query": {
"bool": {
"filter": [
{"term": {"event.action": "Network connection detected (rule: NetworkConnect)"}}
],
"must_not": [
{
"bool": {
"should": [
{"term": {"destination.ip": "127.0.0.1"}},
{"term": {"destination.ip": "127.0.0.53"}},
{"term": {"destination.ip": "::1"}}
]
}
}
]
}
}
}

15
x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat_ecs/ml/datafeed_windows_anomalous_path_activity.json Normal file
View file

@ -0,0 +1,15 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"query": {
"bool": {
"filter": {
"term": {
"event.action": "Process Create (rule: ProcessCreate)"
}
}
}
}
}

15
x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat_ecs/ml/datafeed_windows_anomalous_process_all_hosts.json Normal file
View file

@ -0,0 +1,15 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"query": {
"bool": {
"filter": {
"term": {
"event.action": "Process Create (rule: ProcessCreate)"
}
}
}
}
}

15
x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat_ecs/ml/datafeed_windows_anomalous_process_creation.json Normal file
View file

@ -0,0 +1,15 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"query": {
"bool": {
"filter": {
"term": {
"event.action": "Process Create (rule: ProcessCreate)"
}
}
}
}
}

17
x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat_ecs/ml/datafeed_windows_anomalous_script.json Normal file
View file

@ -0,0 +1,17 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"query": {
"bool": {
"filter": [
{
"term": {
"winlog.channel": "Microsoft-Windows-PowerShell/Operational"
}
}
]
}
}
}

13
x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat_ecs/ml/datafeed_windows_anomalous_service.json Normal file
View file

@ -0,0 +1,13 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"query": {
"bool": {
"filter": [
{"term": {"event.code": "7045"}}
]
}
}
}

15
x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat_ecs/ml/datafeed_windows_anomalous_user_name.json Normal file
View file

@ -0,0 +1,15 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"query": {
"bool": {
"filter": {
"term": {
"event.action": "Process Create (rule: ProcessCreate)"
}
}
}
}
}

53
x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat_ecs/ml/windows_anomalous_network_activity.json Normal file
View file

@ -0,0 +1,53 @@
{
"job_type": "anomaly_detector",
"description": "SIEM Winlogbeat: Looks for unusual processes using the network which could indicate command-and-control, lateral movement, persistence, or data exfiltration activity (beta)",
"groups": [
"siem"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"process.name\"",
"function": "rare",
"by_field_name": "process.name",
"detector_index": 0
}
],
"influencers": [
"host.name",
"process.name",
"user.name",
"destination.ip"
]
},
"analysis_limits": {
"model_memory_limit": "64mb",
"categorization_examples_limit": 4
},
"data_description": {
"time_field": "@timestamp",
"time_format": "epoch_ms"
},
"custom_settings": {
"created_by": "ml-module-siem-winlogbeat",
"custom_urls": [
{
"url_name": "Host Details by process name",
"url_value": "siem#/ml-hosts/$host.name$?_g=()&kqlQuery=(filterQuery:(expression:'process.name%20:%20%22$process.name$%22',kind:kuery),queryLocation:hosts.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Host Details by user name",
"url_value": "siem#/ml-hosts/$host.name$?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:hosts.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by process name",
"url_value": "siem#/ml-hosts?_g=()&kqlQuery=(filterQuery:(expression:'process.name%20:%20%22$process.name$%22',kind:kuery),queryLocation:hosts.page,type:page)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by user name",
"url_value": "siem#/ml-hosts?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:hosts.page,type:page)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
}
]
}
}

50
x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat_ecs/ml/windows_anomalous_path_activity.json Normal file
View file

@ -0,0 +1,50 @@
{
"job_type": "anomaly_detector",
"groups": [
"siem"
],
"description": "SIEM Winlogbeat: Looks for activity in unusual paths that may indicate execution of malware or persistence mechanisms. Windows payloads often execute from user profile paths (beta)",
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"process.working_directory\"",
"function": "rare",
"by_field_name": "process.working_directory"
}
],
"influencers": [
"host.name",
"process.name",
"user.name"
]
},
"analysis_limits": {
"model_memory_limit": "256mb"
},
"data_description": {
"time_field": "@timestamp",
"time_format": "epoch_ms"
},
"custom_settings": {
"created_by": "ml-module-siem-winlogbeat",
"custom_urls": [
{
"url_name": "Host Details by process name",
"url_value": "siem#/ml-hosts/$host.name$?_g=()&kqlQuery=(filterQuery:(expression:'process.name%20:%20%22$process.name$%22',kind:kuery),queryLocation:hosts.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Host Details by user name",
"url_value": "siem#/ml-hosts/$host.name$?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:hosts.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by process name",
"url_value": "siem#/ml-hosts?_g=()&kqlQuery=(filterQuery:(expression:'process.name%20:%20%22$process.name$%22',kind:kuery),queryLocation:hosts.page,type:page)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by user name",
"url_value": "siem#/ml-hosts?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:hosts.page,type:page)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
}
]
}
}

50
x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat_ecs/ml/windows_anomalous_process_all_hosts.json Normal file
View file

@ -0,0 +1,50 @@
{
"job_type": "anomaly_detector",
"description": "SIEM Winlogbeat: Looks for processes that are unusual to all Windows hosts. Such unusual processes may indicate execution of unauthorized services, malware, or persistence mechanisms (beta)",
"groups": [
"siem"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"process.executable\"",
"function": "rare",
"by_field_name": "process.executable"
}
],
"influencers": [
"host.name",
"process.name",
"user.name"
]
},
"analysis_limits": {
"model_memory_limit": "256mb"
},
"data_description": {
"time_field": "@timestamp",
"time_format": "epoch_ms"
},
"custom_settings": {
"created_by": "ml-module-siem-winlogbeat",
"custom_urls": [
{
"url_name": "Host Details by process name",
"url_value": "siem#/ml-hosts/$host.name$?_g=()&kqlQuery=(filterQuery:(expression:'process.name%20:%20%22$process.name$%22',kind:kuery),queryLocation:hosts.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Host Details by user name",
"url_value": "siem#/ml-hosts/$host.name$?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:hosts.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by process name",
"url_value": "siem#/ml-hosts?_g=()&kqlQuery=(filterQuery:(expression:'process.name%20:%20%22$process.name$%22',kind:kuery),queryLocation:hosts.page,type:page)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by user name",
"url_value": "siem#/ml-hosts?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:hosts.page,type:page)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
}
]
}
}

50
x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat_ecs/ml/windows_anomalous_process_creation.json Normal file
View file

@ -0,0 +1,50 @@
{
"job_type": "anomaly_detector",
"groups": [
"siem"
],
"description": "SIEM Winlogbeat: Looks for unusual process relationships which may indicate execution of malware or persistence mechanisms (beta)",
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "Unusual process creation activity",
"function": "rare",
"by_field_name": "process.name",
"partition_field_name": "process.parent.name"
}
],
"influencers": [
"host.name",
"process.name",
"user.name"
]
},
"analysis_limits": {
"model_memory_limit": "256mb"
},
"data_description": {
"time_field": "@timestamp",
"time_format": "epoch_ms"
},
"custom_settings": {
"custom_urls": [
{
"url_name": "Host Details by process name",
"url_value": "siem#/ml-hosts/$host.name$?_g=()&kqlQuery=(filterQuery:(expression:'process.name%20:%20%22$process.name$%22',kind:kuery),queryLocation:hosts.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Host Details by user name",
"url_value": "siem#/ml-hosts/$host.name$?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:hosts.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by process name",
"url_value": "siem#/ml-hosts?_g=()&kqlQuery=(filterQuery:(expression:'process.name%20:%20%22$process.name$%22',kind:kuery),queryLocation:hosts.page,type:page)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by user name",
"url_value": "siem#/ml-hosts?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:hosts.page,type:page)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
}
]
}
}

42
x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat_ecs/ml/windows_anomalous_script.json Normal file
View file

@ -0,0 +1,42 @@
{
"job_type": "anomaly_detector",
"description": "SIEM Winlogbeat: Looks for unusual powershell scripts that may indicate execution of malware, or persistence mechanisms (beta)",
"groups": [
"siem"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "high_info_content(\"winlog.event_data.ScriptBlockText\")",
"function": "high_info_content",
"field_name": "winlog.event_data.ScriptBlockText"
}
],
"influencers": [
"host.name",
"user.name",
"winlog.event_data.Path"
]
},
"analysis_limits": {
"model_memory_limit": "256mb"
},
"data_description": {
"time_field": "@timestamp",
"time_format": "epoch_ms"
},
"custom_settings": {
"created_by": "ml-module-siem-winlogbeat",
"custom_urls": [
{
"url_name": "Host Details by user name",
"url_value": "siem#/ml-hosts/$host.name$?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:hosts.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by user name",
"url_value": "siem#/ml-hosts?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:hosts.page,type:page)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
}
]
}
}

37
x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat_ecs/ml/windows_anomalous_service.json Normal file
View file

@ -0,0 +1,37 @@
{
"job_type": "anomaly_detector",
"groups": [
"siem"
],
"description": "SIEM Winlogbeat: Looks for rare and unusual Windows services which may indicate execution of unauthorized services, malware, or persistence mechanisms (beta)",
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"winlog.event_data.ServiceName\"",
"function": "rare",
"by_field_name": "winlog.event_data.ServiceName"
}
],
"influencers": [
"host.name",
"winlog.event_data.ServiceName"
]
},
"analysis_limits": {
"model_memory_limit": "256mb"
},
"data_description": {
"time_field": "@timestamp",
"time_format": "epoch_ms"
},
"custom_settings": {
"created_by": "ml-module-siem-winlogbeat",
"custom_urls": [
{
"url_name": "Host Details",
"url_value": "siem#/ml-hosts/$host.name$?_g=()&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
}
]
}
}

50
x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat_ecs/ml/windows_anomalous_user_name.json Normal file
View file

@ -0,0 +1,50 @@
{
"job_type": "anomaly_detector",
"description": "SIEM Winlogbeat: Rare and unusual users that are not normally active may indicate unauthorized changes or activity by an unauthorized user which may be credentialed access or lateral movement (beta)",
"groups": [
"siem"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"user.name\"",
"function": "rare",
"by_field_name": "user.name"
}
],
"influencers": [
"host.name",
"process.name",
"user.name"
]
},
"analysis_limits": {
"model_memory_limit": "256mb"
},
"data_description": {
"time_field": "@timestamp",
"time_format": "epoch_ms"
},
"custom_settings": {
"created_by": "ml-module-siem-winlogbeat",
"custom_urls": [
{
"url_name": "Host Details by process name",
"url_value": "siem#/ml-hosts/$host.name$?_g=()&kqlQuery=(filterQuery:(expression:'process.name%20:%20%22$process.name$%22',kind:kuery),queryLocation:hosts.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Host Details by user name",
"url_value": "siem#/ml-hosts/$host.name$?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:hosts.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by process name",
"url_value": "siem#/ml-hosts?_g=()&kqlQuery=(filterQuery:(expression:'process.name%20:%20%22$process.name$%22',kind:kuery),queryLocation:hosts.page,type:page)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by user name",
"url_value": "siem#/ml-hosts?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:hosts.page,type:page)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
}
]
}
}