github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-23 09:19:04 -04:00
Code Issues Projects Releases Packages Wiki Activity

Updates datafeeds for supplied security anomaly detection jobs to exclude Elastic Agent and Beats processes (#213927)

Browse source 
As described in https://github.com/elastic/security-team/issues/11532,
we have added filters to exclude any processing related to the elastic
endpoint agents.
This commit is contained in:
Miguel Garzón 2025-03-21 05:32:14 -04:00 committed by GitHub
parent 0784ba5093
commit 35588ecdbb
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
39 changed files with 1265 additions and 1008 deletions
Download patch file Download diff file Expand all files Collapse all files

7
x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_high_count_logon_events.json
View file

@ -17,7 +17,12 @@
"event.outcome": "success"
}
}
]
],
"must_not": {
"terms": {
"process.name": ["elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat", "filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat", "winlogbeat.exe", "winlogbeat"]
}
}
}
}
}

9
x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_high_count_logon_events_for_a_source_ip.json
View file

@ -22,7 +22,12 @@
"event.outcome": "success"
}
}
]
],
"must_not": {
"terms": {
"process.name": ["elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat", "filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat", "winlogbeat.exe", "winlogbeat"]
}
}
}
}
}
}

7
x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_high_count_logon_fails.json
View file

@ -17,7 +17,12 @@
"event.outcome": "failure"
}
}
]
],
"must_not": {
"terms": {
"process.name": ["elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat", "filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat", "winlogbeat.exe", "winlogbeat"]
}
}
}
}
}

7
x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_rare_hour_for_a_user.json
View file

@ -17,7 +17,12 @@
"event.outcome": "success"
}
}
]
],
"must_not": {
"terms": {
"process.name": ["elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat", "filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat", "winlogbeat.exe", "winlogbeat"]
}
}
}
}
}

7
x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_rare_source_ip_for_a_user.json
View file

@ -17,7 +17,12 @@
"event.outcome": "success"
}
}
]
],
"must_not": {
"terms": {
"process.name": ["elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat", "filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat", "winlogbeat.exe", "winlogbeat"]
}
}
}
}
}

7
x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_rare_user.json
View file

@ -17,7 +17,12 @@
"event.outcome": "success"
}
}
]
],
"must_not": {
"terms": {
"process.name": ["elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat", "filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat", "winlogbeat.exe", "winlogbeat"]
}
}
}
}
}

7
x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_suspicious_login_activity.json
View file

@ -4,7 +4,12 @@
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [{ "term": { "event.category": "authentication" } }]
"filter": [{ "term": { "event.category": "authentication" } }],
"must_not": {
"terms": {
"process.name": ["elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat", "filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat", "winlogbeat.exe", "winlogbeat"]
}
}
}
}
}

7
x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_host/ml/datafeed_high_count_events_for_a_host_name.json
View file

@ -27,7 +27,12 @@
"event.outcome": "success"
}
}
]
],
"must_not": {
"terms": {
"process.name": ["elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat", "filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat", "winlogbeat.exe", "winlogbeat"]
}
}
}
}
}

7
x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_host/ml/datafeed_low_count_events_for_a_host_name.json
View file

@ -27,7 +27,12 @@
"event.outcome": "success"
}
}
]
],
"must_not": {
"terms": {
"process.name": ["elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat", "filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat", "winlogbeat.exe", "winlogbeat"]
}
}
}
}
}

138
x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_anomalous_network_activity.json
View file

@ -1,77 +1,85 @@
{
"job_id": "JOB_ID",
"indices": [
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool":
{
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{"term": {"event.category": "network"}},
{"term": {"event.type": "start"}}
{"term": {"event.category": "network"}},
{"term": {"event.type": "start"}}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.type": {
"query": "linux",
"operator": "OR"
{
"bool": {
"should": [
{
"match": {
"host.os.type": {
"query": "linux",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "debian",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "redhat",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "suse",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "ubuntu",
"operator": "OR"
}
}
}
]
}
}
],
"must_not": [
{
"bool": {
"should": [
{"term": {"destination.ip": "127.0.0.1"}},
{"term": {"destination.ip": "127.0.0.53"}},
{"term": {"destination.ip": "::"}},
{"term": {"destination.ip": "::1"}},
{"term": {"user.name": "jenkins"}}
]
}
}
},
{
"match": {
"host.os.family": {
"query": "debian",
"operator": "OR"
"terms": {
"process.name": [
"elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat",
"filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat",
"winlogbeat.exe", "winlogbeat"
]
}
}
},
{
"match": {
"host.os.family": {
"query": "redhat",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "suse",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "ubuntu",
"operator": "OR"
}
}
}
]
}
}
],
"must_not": [
{
"bool": {
"should": [
{"term": {"destination.ip": "127.0.0.1"}},
{"term": {"destination.ip": "127.0.0.53"}},
{"term": {"destination.ip": "::"}},
{"term": {"destination.ip": "::1"}},
{"term": {"user.name":"jenkins"}}
]
}
}
]
}
}
}
}
}

140
x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_anomalous_network_port_activity.json
View file

@ -1,77 +1,85 @@
{
"job_id": "JOB_ID",
"indices": [
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool":
{
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{"term": {"event.category": "network"}},
{"term": {"event.type": "start"}}
{"term": {"event.category": "network"}},
{"term": {"event.type": "start"}}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.type": {
"query": "linux",
"operator": "OR"
{
"bool": {
"should": [
{
"match": {
"host.os.type": {
"query": "linux",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "debian",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "redhat",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "suse",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "ubuntu",
"operator": "OR"
}
}
}
]
}
}
],
"must_not": [
{
"bool": {
"should": [
{"term": {"destination.ip": "127.0.0.1"}},
{"term": {"destination.ip": "127.0.0.53"}},
{"term": {"destination.ip": "::"}},
{"term": {"destination.ip": "::1"}},
{"term": {"user.name": "jenkins"}}
]
}
}
},
{
"match": {
"host.os.family": {
"query": "debian",
"operator": "OR"
"terms": {
"process.name": [
"elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat",
"filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat",
"winlogbeat.exe", "winlogbeat"
]
}
}
},
{
"match": {
"host.os.family": {
"query": "redhat",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "suse",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "ubuntu",
"operator": "OR"
}
}
}
]
}
}
],
"must_not": [
{
"bool": {
"should": [
{"term": {"destination.ip": "127.0.0.1"}},
{"term": {"destination.ip": "127.0.0.53"}},
{"term": {"destination.ip": "::"}},
{"term": {"destination.ip": "::1"}},
{"term": {"user.name":"jenkins"}}
]
}
}
]
}
}
}
}
}
}

185
x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_anomalous_process_all_hosts.json
View file

@ -1,101 +1,106 @@
{
"job_id": "JOB_ID",
"indices": [
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.category": "process"
}
},
{
"term": {
"event.type": "start"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.type": {
"query": "linux",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "debian",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "redhat",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "suse",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "ubuntu",
"operator": "OR"
}
}
}
]
}
}
],
"must_not": [
{
"bool": {
"should": [
{
"filter": [
{
"term": {
"user.name": "jenkins-worker"
"event.category": "process"
}
},
{
},
{
"term": {
"user.name": "jenkins-user"
"event.type": "start"
}
},
{
"term": {
"user.name": "jenkins"
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.type": {
"query": "linux",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "debian",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "redhat",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "suse",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "ubuntu",
"operator": "OR"
}
}
}
]
}
},
{
"wildcard": {
"process.name": {
"wildcard": "jenkins*"
}
}
],
"must_not": [
{
"bool": {
"should": [
{
"term": {
"user.name": "jenkins-worker"
}
},
{
"term": {
"user.name": "jenkins-user"
}
},
{
"term": {
"user.name": "jenkins"
}
},
{
"wildcard": {
"process.name": {
"wildcard": "jenkins*"
}
}
},
{
"terms": {
"process.name": ["elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat", "filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat", "winlogbeat.exe", "winlogbeat"]
}
}
]
}
}
]
}
}
]
}
]
}
}
}
}

133
x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_anomalous_user_name.json
View file

@ -1,71 +1,76 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.category": "process"
}
},
{
"term": {
"event.type": "start"
}
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.category": "process"
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.type": {
"query": "linux",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "debian",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "redhat",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "suse",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "ubuntu",
"operator": "OR"
}
},
{
"term": {
"event.type": "start"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.type": {
"query": "linux",
"operator": "OR"
}
}
]
}
},
{
"match": {
"host.os.family": {
"query": "debian",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "redhat",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "suse",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "ubuntu",
"operator": "OR"
}
}
}
]
}
]
}
],
"must_not": {
"terms": {
"process.name": ["elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat", "filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat", "winlogbeat.exe", "winlogbeat"]
}
}
}
}
}
}

17
x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_network_configuration_discovery.json
View file

@ -33,7 +33,7 @@
}
}
},
{
{
"match": {
"host.os.family": {
"query": "redhat",
@ -41,7 +41,7 @@
}
}
},
{
{
"match": {
"host.os.family": {
"query": "suse",
@ -49,7 +49,7 @@
}
}
},
{
{
"match": {
"host.os.family": {
"query": "ubuntu",
@ -101,7 +101,16 @@
]
}
}
]
],
"must_not": {
"terms": {
"process.name": [
"elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat",
"filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat",
"winlogbeat.exe", "winlogbeat"
]
}
}
}
}
}

175
x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_network_connection_discovery.json
View file

@ -1,92 +1,101 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.type": "start"
}
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.type": "start"
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.type": {
"query": "linux",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "debian",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "redhat",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "suse",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "ubuntu",
"operator": "OR"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.type": {
"query": "linux",
"operator": "OR"
}
}
]
}
},
{
"bool": {
"should": [
{
"term": {
"process.name": "netstat"
}
},
{
"term": {
"process.name": "ss"
}
},
{
"term": {
"process.name": "route"
}
},
{
"term": {
"process.name": "showmount"
},
{
"match": {
"host.os.family": {
"query": "debian",
"operator": "OR"
}
}
]
}
},
{
"match": {
"host.os.family": {
"query": "redhat",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "suse",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "ubuntu",
"operator": "OR"
}
}
}
]
}
]
},
{
"bool": {
"should": [
{
"term": {
"process.name": "netstat"
}
},
{
"term": {
"process.name": "ss"
}
},
{
"term": {
"process.name": "route"
}
},
{
"term": {
"process.name": "showmount"
}
}
]
}
}
],
"must_not": {
"terms": {
"process.name": [
"elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat",
"filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat",
"winlogbeat.exe", "winlogbeat"
]
}
}
}
}
}
}

126
x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_metadata_process.json
View file

@ -1,66 +1,74 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"destination.ip": "169.254.169.254"
}
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"destination.ip": "169.254.169.254"
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.type": {
"query": "linux",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "debian",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "redhat",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "suse",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "ubuntu",
"operator": "OR"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.type": {
"query": "linux",
"operator": "OR"
}
}
]
}
},
{
"match": {
"host.os.family": {
"query": "debian",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "redhat",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "suse",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "ubuntu",
"operator": "OR"
}
}
}
]
}
]
}
],
"must_not": {
"terms": {
"process.name": [
"elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat", "filebeat.exe",
"filebeat", "packetbeat.exe", "packetbeat", "winlogbeat.exe", "winlogbeat"
]
}
}
}
}
}
}

126
x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_metadata_user.json
View file

@ -1,66 +1,74 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"destination.ip": "169.254.169.254"
}
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"destination.ip": "169.254.169.254"
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.type": {
"query": "linux",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "debian",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "redhat",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "suse",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "ubuntu",
"operator": "OR"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.type": {
"query": "linux",
"operator": "OR"
}
}
]
}
},
{
"match": {
"host.os.family": {
"query": "debian",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "redhat",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "suse",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "ubuntu",
"operator": "OR"
}
}
}
]
}
]
}
],
"must_not": {
"terms": {
"process.name": [
"elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat", "filebeat.exe",
"filebeat", "packetbeat.exe", "packetbeat", "winlogbeat.exe", "winlogbeat"
]
}
}
}
}
}
}

131
x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_sudo_user.json
View file

@ -1,71 +1,76 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.type": "start"
}
},
{
"term": {
"process.name": "sudo"
}
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.type": "start"
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.type": {
"query": "linux",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "debian",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "redhat",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "suse",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "ubuntu",
"operator": "OR"
}
},
{
"term": {
"process.name": "sudo"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.type": {
"query": "linux",
"operator": "OR"
}
}
]
}
},
{
"match": {
"host.os.family": {
"query": "debian",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "redhat",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "suse",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "ubuntu",
"operator": "OR"
}
}
}
]
}
]
}
],
"must_not": {
"terms": {
"process.name": ["elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat", "filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat", "winlogbeat.exe", "winlogbeat"]
}
}
}
}
}

135
x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_rare_process_by_host_linux.json
View file

@ -1,71 +1,76 @@
{
"job_id": "JOB_ID",
"indices": [
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.category": "process"
}
},
{
"term": {
"event.type": "start"
}
"filter": [
{
"term": {
"event.category": "process"
}
},
{
"term": {
"event.type": "start"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.type": {
"query": "linux",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "debian",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "redhat",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "suse",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "ubuntu",
"operator": "OR"
}
}
}
]
}
}
],
"must_not": {
"terms": {
"process.name": ["elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat", "filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat", "winlogbeat.exe", "winlogbeat"]
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.type": {
"query": "linux",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "debian",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "redhat",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "suse",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "ubuntu",
"operator": "OR"
}
}
}
]
}
}
]
}
}
}
}

7
x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_network/ml/datafeed_high_count_by_destination_country.json
View file

@ -17,7 +17,12 @@
"field": "destination.geo.country_name"
}
}
]
],
"must_not": {
"terms": {
"process.name": ["elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat", "filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat", "winlogbeat.exe", "winlogbeat"]
}
}
}
}
}

9
x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_network/ml/datafeed_high_count_network_events.json
View file

@ -12,7 +12,14 @@
"event.category": "network"
}
}
]
],
"must_not": {
"terms": {
"process.name": [
"elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat", "filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat", "winlogbeat.exe", "winlogbeat"
]
}
}
}
}
}

5
x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_network/ml/datafeed_rare_destination_country.json
View file

@ -17,7 +17,10 @@
"field": "destination.geo.country_name"
}
}
]
],
"must_not": {
"terms": { "process.name": ["elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat", "filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat", "winlogbeat.exe", "winlogbeat"] }
}
}
}
}

19
x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/datafeed_packetbeat_dns_tunneling.json
View file

@ -10,7 +10,24 @@
{ "term": { "event.dataset": "network_traffic.dns" } }
],
"minimum_should_match": 1,
"must_not": [{ "bool": { "filter": { "term": { "destination.ip": "169.254.169.254" } } } }]
"must_not": [
{
"bool": {
"filter": {
"term": { "destination.ip": "169.254.169.254" }
}
}
},
{
"terms": {
"process.name": [
"elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat",
"filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat",
"winlogbeat.exe", "winlogbeat"
]
}
}
]
}
}
}

5
x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/datafeed_packetbeat_rare_dns_question.json
View file

@ -10,7 +10,10 @@
{ "term": { "event.dataset": "network_traffic.dns" } }
],
"minimum_should_match": 1,
"must_not": [{ "bool": { "filter": { "term": { "dns.question.type": "PTR" } } } }]
"must_not": [
{ "bool": { "filter": { "term": { "dns.question.type": "PTR" } } } },
{ "terms": { "process.name": ["elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat", "filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat", "winlogbeat.exe", "winlogbeat"] } }
]
}
}
}

7
x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/datafeed_packetbeat_rare_server_domain.json
View file

@ -9,7 +9,12 @@
"filter": [
{"term": {"agent.type": "packetbeat"}},
{"exists": {"field": "server.domain"}}
]
],
"must_not": {
"terms": {
"process.name": ["elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat", "filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat", "winlogbeat.exe", "winlogbeat"]
}
}
}
}
}

7
x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/datafeed_packetbeat_rare_urls.json
View file

@ -11,7 +11,12 @@
{"exists": {"field": "url.full"}}
],
"must_not": [
{"bool": {"filter": {"term": {"destination.ip": "169.254.169.254"}}}}
{"bool": {"filter": {"term": {"destination.ip": "169.254.169.254"}}}},
{
"terms": {
"process.name": ["elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat", "filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat", "winlogbeat.exe", "winlogbeat"]
}
}
]
}
}

5
x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/datafeed_packetbeat_rare_user_agent.json
View file

@ -10,7 +10,10 @@
{ "term": { "event.dataset": "network_traffic.http" } }
],
"minimum_should_match": 1,
"must_not": [{ "wildcard": { "user_agent.original": { "value": "Mozilla*" } } }]
"must_not": [
{ "wildcard": { "user_agent.original": { "value": "Mozilla*" } } },
{ "terms": { "process.name": ["elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat", "filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat", "winlogbeat.exe", "winlogbeat"] } }
]
}
}
}

89
x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_rare_process_by_host_windows.json
View file

@ -1,47 +1,56 @@
{
"job_id": "JOB_ID",
"indices": [
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.category": "process"
}
},
{
"term": {
"event.type": "start"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.family": {
"query": "windows",
"operator": "OR"
}
"filter": [
{
"term": {
"event.category": "process"
}
},
{
"match": {
"host.os.type": {
"query": "windows",
"operator": "OR"
}
},
{
"term": {
"event.type": "start"
}
}
]
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.family": {
"query": "windows",
"operator": "OR"
}
}
},
{
"match": {
"host.os.type": {
"query": "windows",
"operator": "OR"
}
}
}
]
}
}
],
"must_not": {
"terms": {
"process.name": [
"elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat",
"filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat",
"winlogbeat.exe", "winlogbeat"
]
}
}
]
}
}
}
}
}

133
x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_network_activity.json
View file

@ -1,71 +1,82 @@
{
"job_id": "JOB_ID",
"indices": [
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.category": "network"
}
},
{
"term": {
"event.type": "start"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.family": {
"query": "windows",
"operator": "OR"
}
}
},
{
"match": {
"host.os.type": {
"query": "windows",
"operator": "OR"
}
}
}
]
}
}
],
"must_not": [
{
"bool": {
"should": [
{
"filter": [
{
"term": {
"destination.ip": "127.0.0.1"
"event.category": "network"
}
},
{
},
{
"term": {
"destination.ip": "127.0.0.53"
"event.type": "start"
}
},
{
"term": {
"destination.ip": "::1"
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.family": {
"query": "windows",
"operator": "OR"
}
}
},
{
"match": {
"host.os.type": {
"query": "windows",
"operator": "OR"
}
}
}
]
}
}
],
"minimum_should_match": 1
}
}
]
}
],
"must_not": [
{
"bool": {
"should": [
{
"term": {
"destination.ip": "127.0.0.1"
}
},
{
"term": {
"destination.ip": "127.0.0.53"
}
},
{
"term": {
"destination.ip": "::1"
}
}
],
"minimum_should_match": 1
}
},
{
"terms": {
"process.name": [
"elastic-agent.exe", "elastic-agent",
"metricbeat.exe", "metricbeat",
"filebeat.exe", "filebeat",
"packetbeat.exe", "packetbeat",
"winlogbeat.exe", "winlogbeat"
]
}
}
]
}
}
}
}

89
x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_path_activity.json
View file

@ -1,47 +1,56 @@
{
"job_id": "JOB_ID",
"indices": [
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.category": "process"
}
},
{
"term": {
"event.type": "start"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.family": {
"query": "windows",
"operator": "OR"
}
"filter": [
{
"term": {
"event.category": "process"
}
},
{
"match": {
"host.os.type": {
"query": "windows",
"operator": "OR"
}
},
{
"term": {
"event.type": "start"
}
}
]
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.family": {
"query": "windows",
"operator": "OR"
}
}
},
{
"match": {
"host.os.type": {
"query": "windows",
"operator": "OR"
}
}
}
]
}
}
],
"must_not": {
"terms": {
"process.name": [
"elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat",
"filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat",
"winlogbeat.exe", "winlogbeat"
]
}
}
]
}
}
}
}
}

83
x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_process_all_hosts.json
View file

@ -1,47 +1,48 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.category": "process"
}
},
{
"term": {
"event.type": "start"
}
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.category": "process"
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.family": {
"query": "windows",
"operator": "OR"
}
}
},
{
"match": {
"host.os.type": {
"query": "windows",
"operator": "OR"
}
},
{
"term": {
"event.type": "start"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.family": {
"query": "windows",
"operator": "OR"
}
}
]
}
},
{
"match": {
"host.os.type": {
"query": "windows",
"operator": "OR"
}
}
}
]
}
]
}
}
],
"must_not": { "terms": { "process.name": ["elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat", "filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat", "winlogbeat.exe", "winlogbeat"] } }
}
}
}
}

83
x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_process_creation.json
View file

@ -1,47 +1,48 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.category": "process"
}
},
{
"term": {
"event.type": "start"
}
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.category": "process"
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.family": {
"query": "windows",
"operator": "OR"
}
}
},
{
"match": {
"host.os.type": {
"query": "windows",
"operator": "OR"
}
},
{
"term": {
"event.type": "start"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.family": {
"query": "windows",
"operator": "OR"
}
}
]
}
},
{
"match": {
"host.os.type": {
"query": "windows",
"operator": "OR"
}
}
}
]
}
]
}
}
],
"must_not": { "terms": { "process.name": ["elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat", "filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat", "winlogbeat.exe", "winlogbeat"] } }
}
}
}
}

13
x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_script.json
View file

@ -36,7 +36,16 @@
]
}
}
]
],
"must_not": {
"terms": {
"process.name": [
"elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat",
"filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat",
"winlogbeat.exe", "winlogbeat"
]
}
}
}
}
}
}

11
x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_service.json
View file

@ -36,7 +36,16 @@
]
}
}
]
],
"must_not": {
"terms": {
"process.name": [
"elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat",
"filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat",
"winlogbeat.exe", "winlogbeat"
]
}
}
}
}
}

89
x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_user_name.json
View file

@ -1,47 +1,56 @@
{
"job_id": "JOB_ID",
"indices": [
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.category": "process"
}
},
{
"term": {
"event.type": "start"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.family": {
"query": "windows",
"operator": "OR"
}
"filter": [
{
"term": {
"event.category": "process"
}
},
{
"match": {
"host.os.type": {
"query": "windows",
"operator": "OR"
}
},
{
"term": {
"event.type": "start"
}
}
]
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.family": {
"query": "windows",
"operator": "OR"
}
}
},
{
"match": {
"host.os.type": {
"query": "windows",
"operator": "OR"
}
}
}
]
}
}
],
"must_not": {
"terms": {
"process.name": [
"elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat",
"filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat",
"winlogbeat.exe", "winlogbeat"
]
}
}
]
}
}
}
}
}

45
x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_metadata_process.json
View file

@ -1,23 +1,32 @@
{
"job_id": "JOB_ID",
"indices": [
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"host.os.family": "windows"
}
},
{
"term": {
"destination.ip": "169.254.169.254"
}
"filter": [
{
"term": {
"host.os.family": "windows"
}
},
{
"term": {
"destination.ip": "169.254.169.254"
}
}
],
"must_not": {
"terms": {
"process.name": [
"elastic-agent.exe", "elastic-agent", "metricbeat.exe",
"metricbeat", "filebeat.exe", "filebeat", "packetbeat.exe",
"packetbeat", "winlogbeat.exe", "winlogbeat"
]
}
}
]
}
}
}
}
}

43
x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_metadata_user.json
View file

@ -1,23 +1,32 @@
{
"job_id": "JOB_ID",
"indices": [
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"host.os.family": "windows"
}
},
{
"term": {
"destination.ip": "169.254.169.254"
}
"filter": [
{
"term": {
"host.os.family": "windows"
}
},
{
"term": {
"destination.ip": "169.254.169.254"
}
}
],
"must_not": {
"terms": {
"process.name": [
"elastic-agent.exe", "elastic-agent", "metricbeat.exe",
"metricbeat", "filebeat.exe", "filebeat", "packetbeat.exe",
"packetbeat", "winlogbeat.exe", "winlogbeat"
]
}
}
]
}
}
}
}

79
x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_user_runas_event.json
View file

@ -1,42 +1,51 @@
{
"job_id": "JOB_ID",
"indices": [
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.code": "4648"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.family": {
"query": "windows",
"operator": "OR"
}
"filter": [
{
"term": {
"event.code": "4648"
}
},
{
"match": {
"host.os.type": {
"query": "windows",
"operator": "OR"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.family": {
"query": "windows",
"operator": "OR"
}
}
},
{
"match": {
"host.os.type": {
"query": "windows",
"operator": "OR"
}
}
}
]
}
}
]
}
}
],
"must_not": {
"terms": {
"process.name": [
"elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat",
"filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat",
"winlogbeat.exe", "winlogbeat"
]
}
}
]
}
}
}
}
}

81
x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_user_type10_remote_login.json
View file

@ -1,42 +1,51 @@
{
"job_id": "JOB_ID",
"indices": [
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"winlog.event_data.LogonType": "10"
}
}
],
"must": [
{
"bool": {
"should": [
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"match": {
"event.type": {
"query": "authentication_success",
"operator": "OR"
"term": {
"winlog.event_data.LogonType": "10"
}
}
},
{
"match": {
"event.action": {
"query": "logged-in",
"operator": "OR"
}
}
}
]
],
"must": [
{
"bool": {
"should": [
{
"match": {
"event.type": {
"query": "authentication_success",
"operator": "OR"
}
}
},
{
"match": {
"event.action": {
"query": "logged-in",
"operator": "OR"
}
}
}
]
}
}
],
"must_not": {
"terms": {
"process.name": [
"elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat",
"filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat",
"winlogbeat.exe", "winlogbeat"
]
}
}
}
]
}
}
}
}
}
}