mirror of
https://github.com/elastic/kibana.git
synced 2025-04-24 01:38:56 -04:00
Updates to pre-built Security ML jobs (#146760)
## Summary This PR makes the following updates to our pre-built Security ML jobs: - Adds user-friendly names to our pre-built Anomaly Detection jobs. These will be displayed in the Anomalies tab on the new Entity Analytics page in the Security App instead of job IDs. - Fixes formatting - One job was missing the `security` job group which is required to display jobs in the Security App. Added that as well. - Changed the names of two modules: `siem_cloudtrail` -> `security_cloudtrail` and `siem_packetbeat` -> `security_packetbeat`. This should have happened a while ago per [this](https://github.com/elastic/kibana/issues/69319) issue. ## Side effects - Any QA tests that reference the `siem_cloudtrail` and `siem_packetbeat` modules will need to be changed to reference the new modules instead - Any references to the siem modules in the Security App will need to be updated Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Robert Oskamp <robert.oskamp@elastic.co>
This commit is contained in:
Apoorva Joshi
GitHub
parent
578d643032
commit
9e4cb9d2f7
79 changed files with 536 additions and 488 deletions
|
|
@ -25,6 +25,7 @@
|
|||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-security-auth"
|
||||
"created_by": "ml-module-security-auth",
|
||||
"security_app_display_name": "Spike in Logon Events"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -30,6 +30,7 @@
|
|||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-security-auth"
|
||||
"created_by": "ml-module-security-auth",
|
||||
"security_app_display_name": "Spike in Logon Events from a Source IP"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -25,6 +25,7 @@
|
|||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-security-auth"
|
||||
"created_by": "ml-module-security-auth",
|
||||
"security_app_display_name": "Spike in Failed Logon Events"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -28,6 +28,7 @@
|
|||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-security-auth"
|
||||
"created_by": "ml-module-security-auth",
|
||||
"security_app_display_name": "Unusual Hour for a User to Logon"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -29,6 +29,7 @@
|
|||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-security-auth"
|
||||
"created_by": "ml-module-security-auth",
|
||||
"security_app_display_name": "Unusual Source IP for a User to Logon from"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -28,6 +28,7 @@
|
|||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-security-auth"
|
||||
"created_by": "ml-module-security-auth",
|
||||
"security_app_display_name": "Rare User Logon"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -30,7 +30,8 @@
|
|||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-siem-auditbeat",
|
||||
"created_by": "ml-module-security-auth",
|
||||
"security_app_display_name": "Unusual Login Activity",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "IP Address Details",
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
{
|
||||
"id": "siem_cloudtrail",
|
||||
"id": "security_cloudtrail",
|
||||
"title": "Security: Cloudtrail",
|
||||
"description": "Detect suspicious activity recorded in your cloudtrail logs.",
|
||||
"type": "Filebeat data",
|
||||
|
|
@ -29,6 +29,7 @@
|
|||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-siem-cloudtrail"
|
||||
"created_by": "ml-module-security-cloudtrail",
|
||||
"security_app_display_name": "Spike in AWS Error Messages"
|
||||
}
|
||||
}
|
||||
|
|
@ -28,6 +28,7 @@
|
|||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-siem-cloudtrail"
|
||||
"created_by": "ml-module-security-cloudtrail",
|
||||
"security_app_display_name": "Rare AWS Error Code"
|
||||
}
|
||||
}
|
||||
|
|
@ -29,6 +29,7 @@
|
|||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-siem-cloudtrail"
|
||||
"created_by": "ml-module-security-cloudtrail",
|
||||
"security_app_display_name": "Unusual City for an AWS Command"
|
||||
}
|
||||
}
|
||||
|
|
@ -29,6 +29,7 @@
|
|||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-siem-cloudtrail"
|
||||
"created_by": "ml-module-security-cloudtrail",
|
||||
"security_app_display_name": "Unusual Country for an AWS Command"
|
||||
}
|
||||
}
|
||||
|
|
@ -29,6 +29,7 @@
|
|||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-siem-cloudtrail"
|
||||
"created_by": "ml-module-security-cloudtrail",
|
||||
"security_app_display_name": "Unusual AWS Command for a User"
|
||||
}
|
||||
}
|
||||
|
|
@ -32,14 +32,14 @@
|
|||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"custom_settings": {
|
||||
"job_tags": {
|
||||
"euid": "4004",
|
||||
"maturity": "release",
|
||||
"author": "@randomuserid/Elastic",
|
||||
"version": "3",
|
||||
"updated_date": "5/16/2022"
|
||||
},
|
||||
},
|
||||
"created_by": "ml-module-security-linux-v3",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
|
|
@ -57,7 +57,7 @@
|
|||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:hosts.page,type:page)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
],
|
||||
"security_app_display_name": "Unusual Linux Network Activity"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -57,6 +57,7 @@
|
|||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
],
|
||||
"security_app_display_name": "Unusual Linux Network Port Activity"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -42,7 +42,7 @@
|
|||
"version": "3",
|
||||
"updated_date": "5/16/2022"
|
||||
},
|
||||
"created_by": "ml-module-security-linux",
|
||||
"created_by": "ml-module-security-linux-v3",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
|
|
@ -60,6 +60,7 @@
|
|||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
],
|
||||
"security_app_display_name": "Anomalous Process for a Linux Population"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -41,7 +41,7 @@
|
|||
"version": "3",
|
||||
"updated_date": "5/16/2022"
|
||||
},
|
||||
"created_by": "ml-module-security-linux",
|
||||
"created_by": "ml-module-security-linux-v3",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
|
|
@ -59,6 +59,7 @@
|
|||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
],
|
||||
"security_app_display_name": "Unusual Linux Username"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,62 +1,63 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "Security: Linux - Looks for commands related to system network configuration discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network configuration discovery to increase their understanding of connected networks and hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.",
|
||||
"groups": [
|
||||
"security",
|
||||
"auditbeat",
|
||||
"endpoint",
|
||||
"linux",
|
||||
"process"
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "Security: Linux - Looks for commands related to system network configuration discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network configuration discovery to increase their understanding of connected networks and hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.",
|
||||
"groups": [
|
||||
"security",
|
||||
"auditbeat",
|
||||
"endpoint",
|
||||
"linux",
|
||||
"process"
|
||||
],
|
||||
"analysis_config": {
|
||||
"bucket_span": "15m",
|
||||
"detectors": [
|
||||
{
|
||||
"detector_description": "Detects rare user.name values.",
|
||||
"function": "rare",
|
||||
"by_field_name": "user.name"
|
||||
}
|
||||
],
|
||||
"analysis_config": {
|
||||
"bucket_span": "15m",
|
||||
"detectors": [
|
||||
{
|
||||
"detector_description": "Detects rare user.name values.",
|
||||
"function": "rare",
|
||||
"by_field_name": "user.name"
|
||||
}
|
||||
],
|
||||
"influencers": [
|
||||
"process.name",
|
||||
"host.name",
|
||||
"process.args",
|
||||
"user.name"
|
||||
]
|
||||
},
|
||||
"allow_lazy_open": true,
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "64mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"influencers": [
|
||||
"process.name",
|
||||
"host.name",
|
||||
"process.args",
|
||||
"user.name"
|
||||
]
|
||||
},
|
||||
"allow_lazy_open": true,
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "64mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"job_tags": {
|
||||
"euid": "40012",
|
||||
"maturity": "release",
|
||||
"author": "@randomuserid/Elastic",
|
||||
"version": "3",
|
||||
"updated_date": "5/16/2022"
|
||||
},
|
||||
"created_by": "ml-module-security-linux-v3",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by process name",
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"created_by": "ml-module-security-linux-v3",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by process name",
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
],
|
||||
"security_app_display_name": "Unusual Linux System Network Configuration Discovery"
|
||||
}
|
||||
}
|
||||
|
|
@ -1,62 +1,63 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "Security: Linux - Looks for commands related to system network connection discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network connection discovery to increase their understanding of connected services and systems. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.",
|
||||
"groups": [
|
||||
"security",
|
||||
"auditbeat",
|
||||
"endpoint",
|
||||
"linux",
|
||||
"process"
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "Security: Linux - Looks for commands related to system network connection discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network connection discovery to increase their understanding of connected services and systems. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.",
|
||||
"groups": [
|
||||
"security",
|
||||
"auditbeat",
|
||||
"endpoint",
|
||||
"linux",
|
||||
"process"
|
||||
],
|
||||
"analysis_config": {
|
||||
"bucket_span": "15m",
|
||||
"detectors": [
|
||||
{
|
||||
"detector_description": "Detects rare user.name values.",
|
||||
"function": "rare",
|
||||
"by_field_name": "user.name"
|
||||
}
|
||||
],
|
||||
"analysis_config": {
|
||||
"bucket_span": "15m",
|
||||
"detectors": [
|
||||
{
|
||||
"detector_description": "Detects rare user.name values.",
|
||||
"function": "rare",
|
||||
"by_field_name": "user.name"
|
||||
}
|
||||
],
|
||||
"influencers": [
|
||||
"process.name",
|
||||
"host.name",
|
||||
"process.args",
|
||||
"user.name"
|
||||
]
|
||||
},
|
||||
"allow_lazy_open": true,
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "64mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"influencers": [
|
||||
"process.name",
|
||||
"host.name",
|
||||
"process.args",
|
||||
"user.name"
|
||||
]
|
||||
},
|
||||
"allow_lazy_open": true,
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "64mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"job_tags": {
|
||||
"euid": "4013",
|
||||
"maturity": "release",
|
||||
"author": "@randomuserid/Elastic",
|
||||
"version": "3",
|
||||
"updated_date": "5/16/2022"
|
||||
},
|
||||
"created_by": "ml-module-security-linux-v3",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by process name",
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"created_by": "ml-module-security-linux-v3",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by process name",
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
],
|
||||
"security_app_display_name": "Unusual Linux Network Connection Discovery"
|
||||
}
|
||||
}
|
||||
|
|
@ -40,6 +40,8 @@
|
|||
"author": "@randomuserid/Elastic",
|
||||
"version": "3",
|
||||
"updated_date": "5/16/2022"
|
||||
},
|
||||
"created_by": "ml-module-security-linux" }
|
||||
},
|
||||
"created_by": "ml-module-security-linux-v3",
|
||||
"security_app_display_name": "Unusual Linux Process Calling the Metadata Service"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -39,7 +39,8 @@
|
|||
"author": "@randomuserid/Elastic",
|
||||
"version": "3",
|
||||
"updated_date": "5/16/2022"
|
||||
},
|
||||
"created_by": "ml-module-security-linux"
|
||||
},
|
||||
"created_by": "ml-module-security-linux-v3",
|
||||
"security_app_display_name": "Unusual Linux User Calling the Metadata Service"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,62 +1,63 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "Security: Linux - Looks for sudo activity from an unusual user context. Unusual user context changes can be due to privilege escalation.",
|
||||
"groups": [
|
||||
"security",
|
||||
"auditbeat",
|
||||
"endpoint",
|
||||
"linux",
|
||||
"process"
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "Security: Linux - Looks for sudo activity from an unusual user context. Unusual user context changes can be due to privilege escalation.",
|
||||
"groups": [
|
||||
"security",
|
||||
"auditbeat",
|
||||
"endpoint",
|
||||
"linux",
|
||||
"process"
|
||||
],
|
||||
"analysis_config": {
|
||||
"bucket_span": "15m",
|
||||
"detectors": [
|
||||
{
|
||||
"detector_description": "Detects rare user.name values.",
|
||||
"function": "rare",
|
||||
"by_field_name": "user.name"
|
||||
}
|
||||
],
|
||||
"analysis_config": {
|
||||
"bucket_span": "15m",
|
||||
"detectors": [
|
||||
{
|
||||
"detector_description": "Detects rare user.name values.",
|
||||
"function": "rare",
|
||||
"by_field_name": "user.name"
|
||||
}
|
||||
],
|
||||
"influencers": [
|
||||
"process.name",
|
||||
"host.name",
|
||||
"process.args",
|
||||
"user.name"
|
||||
]
|
||||
},
|
||||
"allow_lazy_open": true,
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "32mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"influencers": [
|
||||
"process.name",
|
||||
"host.name",
|
||||
"process.args",
|
||||
"user.name"
|
||||
]
|
||||
},
|
||||
"allow_lazy_open": true,
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "32mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"job_tags": {
|
||||
"euid": "4017",
|
||||
"maturity": "release",
|
||||
"author": "@randomuserid/Elastic",
|
||||
"version": "3",
|
||||
"updated_date": "5/16/2022"
|
||||
},
|
||||
"created_by": "ml-module-security-linux-v3",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by process name",
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"created_by": "ml-module-security-linux-v3",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by process name",
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
],
|
||||
"security_app_display_name": "Unusual Sudo Activity"
|
||||
}
|
||||
}
|
||||
|
|
@ -1,54 +1,55 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "Security: Linux - Looks for compiler activity by a user context which does not normally run compilers. This can be ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run exploits or malware activity.",
|
||||
"groups": [
|
||||
"security",
|
||||
"auditbeat",
|
||||
"endpoint",
|
||||
"linux",
|
||||
"process"
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "Security: Linux - Looks for compiler activity by a user context which does not normally run compilers. This can be ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run exploits or malware activity.",
|
||||
"groups": [
|
||||
"security",
|
||||
"auditbeat",
|
||||
"endpoint",
|
||||
"linux",
|
||||
"process"
|
||||
],
|
||||
"analysis_config": {
|
||||
"bucket_span": "15m",
|
||||
"detectors": [
|
||||
{
|
||||
"detector_description": "Detects rare user.name values.",
|
||||
"function": "rare",
|
||||
"by_field_name": "user.name"
|
||||
}
|
||||
],
|
||||
"analysis_config": {
|
||||
"bucket_span": "15m",
|
||||
"detectors": [
|
||||
{
|
||||
"detector_description": "Detects rare user.name values.",
|
||||
"function": "rare",
|
||||
"by_field_name": "user.name"
|
||||
}
|
||||
],
|
||||
"influencers": [
|
||||
"process.title",
|
||||
"host.name",
|
||||
"process.working_directory",
|
||||
"user.name"
|
||||
]
|
||||
},
|
||||
"allow_lazy_open": true,
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "256mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"influencers": [
|
||||
"process.title",
|
||||
"host.name",
|
||||
"process.working_directory",
|
||||
"user.name"
|
||||
]
|
||||
},
|
||||
"allow_lazy_open": true,
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "256mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"job_tags": {
|
||||
"euid": "4018",
|
||||
"maturity": "release",
|
||||
"author": "@randomuserid/Elastic",
|
||||
"version": "3",
|
||||
"updated_date": "5/16/2022"
|
||||
},
|
||||
"created_by": "ml-module-security-linux-v3",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"created_by": "ml-module-security-linux-v3",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
],
|
||||
"security_app_display_name": "Anomalous Linux Compiler Activity"
|
||||
}
|
||||
}
|
||||
|
|
@ -1,62 +1,63 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "Security: Linux - Looks for commands related to system information discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system information discovery to gather detailed information about system configuration and software versions. This may be a precursor to the selection of a persistence mechanism or a method of privilege elevation.",
|
||||
"groups": [
|
||||
"security",
|
||||
"auditbeat",
|
||||
"endpoint",
|
||||
"linux",
|
||||
"process"
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "Security: Linux - Looks for commands related to system information discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system information discovery to gather detailed information about system configuration and software versions. This may be a precursor to the selection of a persistence mechanism or a method of privilege elevation.",
|
||||
"groups": [
|
||||
"security",
|
||||
"auditbeat",
|
||||
"endpoint",
|
||||
"linux",
|
||||
"process"
|
||||
],
|
||||
"analysis_config": {
|
||||
"bucket_span": "15m",
|
||||
"detectors": [
|
||||
{
|
||||
"detector_description": "Detects rare user.name values.",
|
||||
"function": "rare",
|
||||
"by_field_name": "user.name"
|
||||
}
|
||||
],
|
||||
"analysis_config": {
|
||||
"bucket_span": "15m",
|
||||
"detectors": [
|
||||
{
|
||||
"detector_description": "Detects rare user.name values.",
|
||||
"function": "rare",
|
||||
"by_field_name": "user.name"
|
||||
}
|
||||
],
|
||||
"influencers": [
|
||||
"process.name",
|
||||
"host.name",
|
||||
"process.args",
|
||||
"user.name"
|
||||
]
|
||||
},
|
||||
"allow_lazy_open": true,
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "16mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"influencers": [
|
||||
"process.name",
|
||||
"host.name",
|
||||
"process.args",
|
||||
"user.name"
|
||||
]
|
||||
},
|
||||
"allow_lazy_open": true,
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "16mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"job_tags": {
|
||||
"euid": "4014",
|
||||
"maturity": "release",
|
||||
"author": "@randomuserid/Elastic",
|
||||
"version": "3",
|
||||
"updated_date": "5/16/2022"
|
||||
},
|
||||
"created_by": "ml-module-security-linux-v3",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by process name",
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"created_by": "ml-module-security-linux-v3",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by process name",
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
],
|
||||
"security_app_display_name": "Unusual Linux System Information Discovery Activity"
|
||||
}
|
||||
}
|
||||
|
|
@ -1,62 +1,63 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "Security: Linux - Looks for commands related to system process discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system process discovery to increase their understanding of software applications running on a target host or network. This may be a precursor to the selection of a persistence mechanism or a method of privilege elevation.",
|
||||
"groups": [
|
||||
"security",
|
||||
"auditbeat",
|
||||
"endpoint",
|
||||
"linux",
|
||||
"process"
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "Security: Linux - Looks for commands related to system process discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system process discovery to increase their understanding of software applications running on a target host or network. This may be a precursor to the selection of a persistence mechanism or a method of privilege elevation.",
|
||||
"groups": [
|
||||
"security",
|
||||
"auditbeat",
|
||||
"endpoint",
|
||||
"linux",
|
||||
"process"
|
||||
],
|
||||
"analysis_config": {
|
||||
"bucket_span": "15m",
|
||||
"detectors": [
|
||||
{
|
||||
"detector_description": "Detects rare user.name values.",
|
||||
"function": "rare",
|
||||
"by_field_name": "user.name"
|
||||
}
|
||||
],
|
||||
"analysis_config": {
|
||||
"bucket_span": "15m",
|
||||
"detectors": [
|
||||
{
|
||||
"detector_description": "Detects rare user.name values.",
|
||||
"function": "rare",
|
||||
"by_field_name": "user.name"
|
||||
}
|
||||
],
|
||||
"influencers": [
|
||||
"process.name",
|
||||
"host.name",
|
||||
"process.args",
|
||||
"user.name"
|
||||
]
|
||||
},
|
||||
"allow_lazy_open": true,
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "16mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"influencers": [
|
||||
"process.name",
|
||||
"host.name",
|
||||
"process.args",
|
||||
"user.name"
|
||||
]
|
||||
},
|
||||
"allow_lazy_open": true,
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "16mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"job_tags": {
|
||||
"euid": "4015",
|
||||
"maturity": "release",
|
||||
"author": "@randomuserid/Elastic",
|
||||
"version": "3",
|
||||
"updated_date": "5/16/2022"
|
||||
},
|
||||
"created_by": "ml-module-security-linux-v3",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by process name",
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
},
|
||||
"created_by": "ml-module-security-linux-v3",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by process name",
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
],
|
||||
"security_app_display_name": "Unusual Linux Process Discovery Activity"
|
||||
}
|
||||
}
|
||||
|
|
@ -1,62 +1,63 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "Security: Linux - Looks for commands related to system user or owner discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system owner or user discovery to identify currently active or primary users of a system. This may be a precursor to additional discovery, credential dumping, or privilege elevation activity.",
|
||||
"groups": [
|
||||
"security",
|
||||
"auditbeat",
|
||||
"endpoint",
|
||||
"linux",
|
||||
"process"
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "Security: Linux - Looks for commands related to system user or owner discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system owner or user discovery to identify currently active or primary users of a system. This may be a precursor to additional discovery, credential dumping, or privilege elevation activity.",
|
||||
"groups": [
|
||||
"security",
|
||||
"auditbeat",
|
||||
"endpoint",
|
||||
"linux",
|
||||
"process"
|
||||
],
|
||||
"analysis_config": {
|
||||
"bucket_span": "15m",
|
||||
"detectors": [
|
||||
{
|
||||
"detector_description": "Detects rare user.name values.",
|
||||
"function": "rare",
|
||||
"by_field_name": "user.name"
|
||||
}
|
||||
],
|
||||
"analysis_config": {
|
||||
"bucket_span": "15m",
|
||||
"detectors": [
|
||||
{
|
||||
"detector_description": "Detects rare user.name values.",
|
||||
"function": "rare",
|
||||
"by_field_name": "user.name"
|
||||
}
|
||||
],
|
||||
"influencers": [
|
||||
"process.name",
|
||||
"host.name",
|
||||
"process.args",
|
||||
"user.name"
|
||||
]
|
||||
},
|
||||
"allow_lazy_open": true,
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "16mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"influencers": [
|
||||
"process.name",
|
||||
"host.name",
|
||||
"process.args",
|
||||
"user.name"
|
||||
]
|
||||
},
|
||||
"allow_lazy_open": true,
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "16mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"job_tags": {
|
||||
"euid": "4016",
|
||||
"maturity": "release",
|
||||
"author": "@randomuserid/Elastic",
|
||||
"version": "3",
|
||||
"updated_date": "5/16/2022"
|
||||
},
|
||||
"created_by": "ml-module-security-linux-v3",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by process name",
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"created_by": "ml-module-security-linux-v3",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by process name",
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
],
|
||||
"security_app_display_name": "Unusual Linux System Owner or User Discovery Activity"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -41,8 +41,8 @@
|
|||
"author": "@randomuserid/Elastic",
|
||||
"version": "3",
|
||||
"updated_date": "5/16/2022"
|
||||
},
|
||||
"created_by": "ml-module-security-linux",
|
||||
},
|
||||
"created_by": "ml-module-security-linux-v3",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
|
|
@ -60,6 +60,7 @@
|
|||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
],
|
||||
"security_app_display_name": "Unusual Process for a Linux Host"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -31,6 +31,7 @@
|
|||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-security-network"
|
||||
"created_by": "ml-module-security-network",
|
||||
"security_app_display_name": "Spike in Network Traffic to a Country"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -30,6 +30,7 @@
|
|||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-security-network"
|
||||
"created_by": "ml-module-security-network",
|
||||
"security_app_display_name": "Spike in Firewall Denies"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -30,6 +30,7 @@
|
|||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-security-network"
|
||||
"created_by": "ml-module-security-network",
|
||||
"security_app_display_name": "Spike in Network Traffic"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -30,6 +30,7 @@
|
|||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-security-network"
|
||||
"created_by": "ml-module-security-network",
|
||||
"security_app_display_name": "Network Traffic to Rare Destination Country"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
{
|
||||
"id": "siem_packetbeat",
|
||||
"id": "security_packetbeat",
|
||||
"title": "Security: Packetbeat",
|
||||
"description": "Detect suspicious network activity in Packetbeat data.",
|
||||
"type": "Packetbeat data",
|
||||
|
|
@ -45,12 +45,13 @@
|
|||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-siem-packetbeat",
|
||||
"created_by": "ml-module-security-packetbeat",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details",
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
],
|
||||
"security_app_display_name": "DNS Tunneling"
|
||||
}
|
||||
}
|
||||
|
|
@ -27,12 +27,13 @@
|
|||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-siem-packetbeat",
|
||||
"created_by": "ml-module-security-packetbeat",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details",
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
],
|
||||
"security_app_display_name": "Unusual DNS Activity"
|
||||
}
|
||||
}
|
||||
|
|
@ -29,12 +29,13 @@
|
|||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-siem-packetbeat",
|
||||
"created_by": "ml-module-security-packetbeat",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details",
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
],
|
||||
"security_app_display_name": "Unusual Network Destination Domain Name"
|
||||
}
|
||||
}
|
||||
|
|
@ -28,12 +28,13 @@
|
|||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-siem-packetbeat",
|
||||
"created_by": "ml-module-security-packetbeat",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details",
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
],
|
||||
"security_app_display_name": "Unusual Web Request"
|
||||
}
|
||||
}
|
||||
|
|
@ -28,12 +28,13 @@
|
|||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-siem-packetbeat",
|
||||
"created_by": "ml-module-security-packetbeat",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details",
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
],
|
||||
"security_app_display_name": "Unusual Web User Agent"
|
||||
}
|
||||
}
|
||||
|
|
@ -37,14 +37,14 @@
|
|||
"time_format": "epoch_ms"
|
||||
},
|
||||
"custom_settings": {
|
||||
"job_tags": {
|
||||
"job_tags": {
|
||||
"euid": "8001",
|
||||
"maturity": "release",
|
||||
"author": "@randomuserid/Elastic",
|
||||
"version": "3",
|
||||
"updated_date": "5/16/2022"
|
||||
},
|
||||
"created_by": "ml-module-security-windows",
|
||||
},
|
||||
"created_by": "ml-module-security-windows-v3",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
|
|
@ -62,6 +62,7 @@
|
|||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
],
|
||||
"security_app_display_name": "Unusual Process for a Windows Host"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -36,14 +36,14 @@
|
|||
"time_format": "epoch_ms"
|
||||
},
|
||||
"custom_settings": {
|
||||
"job_tags": {
|
||||
"job_tags": {
|
||||
"euid": "8003",
|
||||
"maturity": "release",
|
||||
"author": "@randomuserid/Elastic",
|
||||
"version": "3",
|
||||
"updated_date": "5/16/2022"
|
||||
},
|
||||
"created_by": "ml-module-security-windows",
|
||||
},
|
||||
"created_by": "ml-module-security-windows-v3",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
|
|
@ -61,6 +61,7 @@
|
|||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
],
|
||||
"security_app_display_name": "Unusual Windows Network Activity"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -35,14 +35,14 @@
|
|||
"time_format": "epoch_ms"
|
||||
},
|
||||
"custom_settings": {
|
||||
"job_tags": {
|
||||
"job_tags": {
|
||||
"euid": "8004",
|
||||
"maturity": "release",
|
||||
"author": "@randomuserid/Elastic",
|
||||
"version": "3",
|
||||
"updated_date": "5/16/2022"
|
||||
},
|
||||
"created_by": "ml-module-security-windows",
|
||||
},
|
||||
"created_by": "ml-module-security-windows-v3",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
|
|
@ -60,6 +60,7 @@
|
|||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
],
|
||||
"security_app_display_name": "Unusual Windows Path Activity"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -36,14 +36,14 @@
|
|||
"time_format": "epoch_ms"
|
||||
},
|
||||
"custom_settings": {
|
||||
"job_tags": {
|
||||
"job_tags": {
|
||||
"euid": "8002",
|
||||
"maturity": "release",
|
||||
"author": "@randomuserid/Elastic",
|
||||
"version": "3",
|
||||
"updated_date": "5/16/2022"
|
||||
},
|
||||
"created_by": "ml-module-security-windows",
|
||||
},
|
||||
"created_by": "ml-module-security-windows-v3",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
|
|
@ -61,6 +61,7 @@
|
|||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
],
|
||||
"security_app_display_name": "Anomalous Process for a Windows Population"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -37,14 +37,14 @@
|
|||
"time_format": "epoch_ms"
|
||||
},
|
||||
"custom_settings": {
|
||||
"job_tags": {
|
||||
"job_tags": {
|
||||
"euid": "8005",
|
||||
"maturity": "release",
|
||||
"author": "@randomuserid/Elastic",
|
||||
"version": "3",
|
||||
"updated_date": "5/16/2022"
|
||||
},
|
||||
"created_by": "ml-module-security-windows",
|
||||
},
|
||||
"created_by": "ml-module-security-windows-v3",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
|
|
@ -62,6 +62,7 @@
|
|||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
],
|
||||
"security_app_display_name": "Anomalous Windows Process Creation"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -7,7 +7,8 @@
|
|||
"process",
|
||||
"windows",
|
||||
"winlogbeat",
|
||||
"powershell"
|
||||
"powershell",
|
||||
"security"
|
||||
],
|
||||
"analysis_config": {
|
||||
"bucket_span": "15m",
|
||||
|
|
@ -32,13 +33,14 @@
|
|||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"job_tags": {
|
||||
"job_tags": {
|
||||
"euid": "8006",
|
||||
"maturity": "release",
|
||||
"author": "@randomuserid/Elastic",
|
||||
"version": "3",
|
||||
"updated_date": "5/16/2022"
|
||||
},
|
||||
},
|
||||
"created_by": "ml-module-security-windows-v3",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
|
|
@ -48,6 +50,7 @@
|
|||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:hosts.page,type:page)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
],
|
||||
"security_app_display_name": "Suspicious Powershell Script"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -32,19 +32,20 @@
|
|||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"job_tags": {
|
||||
"job_tags": {
|
||||
"euid": "8007",
|
||||
"maturity": "release",
|
||||
"author": "@randomuserid/Elastic",
|
||||
"version": "3",
|
||||
"updated_date": "5/16/2022"
|
||||
},
|
||||
},
|
||||
"created_by": "ml-module-security-windows-v3",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details",
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
],
|
||||
"security_app_display_name": "Unusual Windows Service"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -36,14 +36,14 @@
|
|||
"time_format": "epoch_ms"
|
||||
},
|
||||
"custom_settings": {
|
||||
"job_tags": {
|
||||
"job_tags": {
|
||||
"euid": "8008",
|
||||
"maturity": "release",
|
||||
"author": "@randomuserid/Elastic",
|
||||
"version": "3",
|
||||
"updated_date": "5/16/2022"
|
||||
},
|
||||
"created_by": "ml-module-security-windows",
|
||||
},
|
||||
"created_by": "ml-module-security-windows-v3",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
|
|
@ -61,6 +61,7 @@
|
|||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
],
|
||||
"security_app_display_name": "Unusual Windows Username"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -35,13 +35,14 @@
|
|||
"time_format": "epoch_ms"
|
||||
},
|
||||
"custom_settings": {
|
||||
"job_tags": {
|
||||
"job_tags": {
|
||||
"euid": "8011",
|
||||
"maturity": "release",
|
||||
"author": "@randomuserid/Elastic",
|
||||
"version": "3",
|
||||
"updated_date": "5/16/2022"
|
||||
},
|
||||
"created_by": "ml-module-security-windows"
|
||||
},
|
||||
"created_by": "ml-module-security-windows-v3",
|
||||
"security_app_display_name": "Unusual Windows Process Calling the Metadata Service"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -34,13 +34,14 @@
|
|||
"time_format": "epoch_ms"
|
||||
},
|
||||
"custom_settings": {
|
||||
"job_tags": {
|
||||
"job_tags": {
|
||||
"euid": "8012",
|
||||
"maturity": "release",
|
||||
"author": "@randomuserid/Elastic",
|
||||
"version": "3",
|
||||
"updated_date": "5/16/2022"
|
||||
},
|
||||
"created_by": "ml-module-security-windows"
|
||||
},
|
||||
"created_by": "ml-module-security-windows-v3",
|
||||
"security_app_display_name": "Unusual Windows User Calling the Metadata Service"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -32,13 +32,13 @@
|
|||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"job_tags": {
|
||||
"job_tags": {
|
||||
"euid": "8009",
|
||||
"maturity": "release",
|
||||
"author": "@randomuserid/Elastic",
|
||||
"version": "3",
|
||||
"updated_date": "5/16/2022"
|
||||
},
|
||||
},
|
||||
"created_by": "ml-module-security-windows-v3",
|
||||
"custom_urls": [
|
||||
{
|
||||
|
|
@ -57,6 +57,7 @@
|
|||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
],
|
||||
"security_app_display_name": "Unusual Windows User Privilege Elevation Activity"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -32,13 +32,13 @@
|
|||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"job_tags": {
|
||||
"job_tags": {
|
||||
"euid": "8013",
|
||||
"maturity": "release",
|
||||
"author": "@randomuserid/Elastic",
|
||||
"version": "3",
|
||||
"updated_date": "5/16/2022"
|
||||
},
|
||||
},
|
||||
"created_by": "ml-module-security-windows-v3",
|
||||
"custom_urls": [
|
||||
{
|
||||
|
|
@ -57,6 +57,7 @@
|
|||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
],
|
||||
"security_app_display_name": "Unusual Windows Remote User"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -11,8 +11,8 @@
|
|||
*
|
||||
*/
|
||||
export const mlModules: string[] = [
|
||||
'siem_cloudtrail',
|
||||
'siem_packetbeat',
|
||||
'security_cloudtrail',
|
||||
'security_packetbeat',
|
||||
'security_auth',
|
||||
'security_linux_v3',
|
||||
'security_network',
|
||||
|
|
|
|||
|
|
@ -35,14 +35,14 @@ export default function ({ getService, loadTestFile }: FtrProviderContext) {
|
|||
await esArchiver.unload('x-pack/test/functional/es_archives/ml/module_sample_ecommerce');
|
||||
await esArchiver.unload('x-pack/test/functional/es_archives/ml/module_sample_logs');
|
||||
await esArchiver.unload('x-pack/test/functional/es_archives/ml/module_security_endpoint');
|
||||
await esArchiver.unload('x-pack/test/functional/es_archives/ml/module_siem_auditbeat');
|
||||
await esArchiver.unload('x-pack/test/functional/es_archives/ml/module_siem_packetbeat');
|
||||
await esArchiver.unload('x-pack/test/functional/es_archives/ml/module_siem_winlogbeat');
|
||||
await esArchiver.unload('x-pack/test/functional/es_archives/ml/module_security_auditbeat');
|
||||
await esArchiver.unload('x-pack/test/functional/es_archives/ml/module_security_packetbeat');
|
||||
await esArchiver.unload('x-pack/test/functional/es_archives/ml/module_security_winlogbeat');
|
||||
await esArchiver.unload('x-pack/test/functional/es_archives/ml/farequote');
|
||||
await esArchiver.unload('x-pack/test/functional/es_archives/ml/bm_classification');
|
||||
await esArchiver.unload('x-pack/test/functional/es_archives/ml/ihp_outlier');
|
||||
await esArchiver.unload('x-pack/test/functional/es_archives/ml/module_metricbeat');
|
||||
await esArchiver.unload('x-pack/test/functional/es_archives/ml/module_siem_cloudtrail');
|
||||
await esArchiver.unload('x-pack/test/functional/es_archives/ml/module_security_cloudtrail');
|
||||
await esArchiver.unload('x-pack/test/functional/es_archives/ml/module_metrics_ui');
|
||||
await esArchiver.unload('x-pack/test/functional/es_archives/ml/module_apache_data_stream');
|
||||
await esArchiver.unload('x-pack/test/functional/es_archives/ml/module_nginx_data_stream');
|
||||
|
|
|
|||
|
|
@ -27,11 +27,11 @@ const moduleIds = [
|
|||
'sample_data_ecommerce',
|
||||
'sample_data_weblogs',
|
||||
'security_auth',
|
||||
'security_cloudtrail',
|
||||
'security_linux_v3',
|
||||
'security_network',
|
||||
'security_packetbeat',
|
||||
'security_windows_v3',
|
||||
'siem_cloudtrail',
|
||||
'siem_packetbeat',
|
||||
'uptime_heartbeat',
|
||||
];
|
||||
|
||||
|
|
|
|||
|
|
@ -14,8 +14,7 @@ export default function ({ getService, loadTestFile }: FtrProviderContext) {
|
|||
const fleetPackages = ['apache', 'nginx'];
|
||||
const installedPackages: Array<{ pkgName: string; version: string }> = [];
|
||||
|
||||
// failing: https://github.com/elastic/kibana/issues/102283
|
||||
describe.skip('modules', function () {
|
||||
describe('modules', function () {
|
||||
before(async () => {
|
||||
// use await kibanaServer.savedObjects.cleanStandardList(); to make sure the fleet setup is removed correctly after the tests
|
||||
await kibanaServer.savedObjects.cleanStandardList();
|
||||
|
|
|
|||
|
|
@ -69,8 +69,8 @@ export default ({ getService }: FtrProviderContext) => {
|
|||
},
|
||||
{
|
||||
testTitleSuffix: 'for siem auditbeat dataset',
|
||||
sourceDataArchive: 'x-pack/test/functional/es_archives/ml/module_siem_auditbeat',
|
||||
indexPattern: 'ft_module_siem_auditbeat',
|
||||
sourceDataArchive: 'x-pack/test/functional/es_archives/ml/module_security_auditbeat',
|
||||
indexPattern: 'ft_module_security_auditbeat',
|
||||
user: USER.ML_POWERUSER,
|
||||
expected: {
|
||||
responseCode: 200,
|
||||
|
|
@ -79,18 +79,18 @@ export default ({ getService }: FtrProviderContext) => {
|
|||
},
|
||||
{
|
||||
testTitleSuffix: 'for siem packetbeat dataset',
|
||||
sourceDataArchive: 'x-pack/test/functional/es_archives/ml/module_siem_packetbeat',
|
||||
indexPattern: 'ft_module_siem_packetbeat',
|
||||
sourceDataArchive: 'x-pack/test/functional/es_archives/ml/module_security_packetbeat',
|
||||
indexPattern: 'ft_module_security_packetbeat',
|
||||
user: USER.ML_POWERUSER,
|
||||
expected: {
|
||||
responseCode: 200,
|
||||
moduleIds: ['siem_packetbeat'],
|
||||
moduleIds: ['security_packetbeat'],
|
||||
},
|
||||
},
|
||||
{
|
||||
testTitleSuffix: 'for siem winlogbeat dataset',
|
||||
sourceDataArchive: 'x-pack/test/functional/es_archives/ml/module_siem_winlogbeat',
|
||||
indexPattern: 'ft_module_siem_winlogbeat',
|
||||
sourceDataArchive: 'x-pack/test/functional/es_archives/ml/module_security_winlogbeat',
|
||||
indexPattern: 'ft_module_security_winlogbeat',
|
||||
user: USER.ML_POWERUSER,
|
||||
expected: {
|
||||
responseCode: 200,
|
||||
|
|
@ -153,12 +153,12 @@ export default ({ getService }: FtrProviderContext) => {
|
|||
},
|
||||
{
|
||||
testTitleSuffix: 'for siem clodutrail dataset',
|
||||
sourceDataArchive: 'x-pack/test/functional/es_archives/ml/module_siem_cloudtrail',
|
||||
indexPattern: 'ft_module_siem_cloudtrail',
|
||||
sourceDataArchive: 'x-pack/test/functional/es_archives/ml/module_security_cloudtrail',
|
||||
indexPattern: 'ft_module_security_cloudtrail',
|
||||
user: USER.ML_POWERUSER,
|
||||
expected: {
|
||||
responseCode: 200,
|
||||
moduleIds: ['siem_cloudtrail'],
|
||||
moduleIds: ['security_cloudtrail'],
|
||||
},
|
||||
},
|
||||
{
|
||||
|
|
|
|||
|
|
@ -314,13 +314,13 @@ export default ({ getService }: FtrProviderContext) => {
|
|||
{
|
||||
testTitleSuffix:
|
||||
'for siem_packetbeat with prefix, startDatafeed true and estimateModelMemory true',
|
||||
sourceDataArchive: 'x-pack/test/functional/es_archives/ml/module_siem_packetbeat',
|
||||
indexPattern: { name: 'ft_module_siem_packetbeat', timeField: '@timestamp' },
|
||||
module: 'siem_packetbeat',
|
||||
sourceDataArchive: 'x-pack/test/functional/es_archives/ml/module_security_packetbeat',
|
||||
indexPattern: { name: 'ft_module_security_packetbeat', timeField: '@timestamp' },
|
||||
module: 'security_packetbeat',
|
||||
user: USER.ML_POWERUSER,
|
||||
requestBody: {
|
||||
prefix: 'pf12_',
|
||||
indexPatternName: 'ft_module_siem_packetbeat',
|
||||
indexPatternName: 'ft_module_security_packetbeat',
|
||||
startDatafeed: true,
|
||||
end: 1588688580000,
|
||||
},
|
||||
|
|
@ -499,13 +499,13 @@ export default ({ getService }: FtrProviderContext) => {
|
|||
{
|
||||
testTitleSuffix:
|
||||
'for siem_cloudtrail with prefix, startDatafeed true and estimateModelMemory true',
|
||||
sourceDataArchive: 'x-pack/test/functional/es_archives/ml/module_siem_cloudtrail',
|
||||
indexPattern: { name: 'ft_module_siem_cloudtrail', timeField: '@timestamp' },
|
||||
module: 'siem_cloudtrail',
|
||||
sourceDataArchive: 'x-pack/test/functional/es_archives/ml/module_security_cloudtrail',
|
||||
indexPattern: { name: 'ft_module_security_cloudtrail', timeField: '@timestamp' },
|
||||
module: 'security_cloudtrail',
|
||||
user: USER.ML_POWERUSER,
|
||||
requestBody: {
|
||||
prefix: 'pf20_',
|
||||
indexPatternName: 'ft_module_siem_cloudtrail',
|
||||
indexPatternName: 'ft_module_security_cloudtrail',
|
||||
startDatafeed: true,
|
||||
end: 1594231870000,
|
||||
},
|
||||
|
|
|
|||
Binary file not shown.
|
|
@ -3,7 +3,7 @@
|
|||
"value": {
|
||||
"aliases": {
|
||||
},
|
||||
"index": "ft_module_siem_auditbeat",
|
||||
"index": "ft_module_security_auditbeat",
|
||||
"mappings": {
|
||||
"properties": {
|
||||
"@timestamp": {
|
||||
|
|
@ -1660,4 +1660,4 @@
|
|||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
Binary file not shown.
|
|
@ -3,7 +3,7 @@
|
|||
"value": {
|
||||
"aliases": {
|
||||
},
|
||||
"index": "ft_module_siem_cloudtrail",
|
||||
"index": "ft_module_security_cloudtrail",
|
||||
"mappings": {
|
||||
"_meta": {
|
||||
"beat": "filebeat",
|
||||
|
|
@ -12947,4 +12947,4 @@
|
|||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
Binary file not shown.
|
|
@ -3,7 +3,7 @@
|
|||
"value": {
|
||||
"aliases": {
|
||||
},
|
||||
"index": "ft_module_siem_packetbeat",
|
||||
"index": "ft_module_security_packetbeat",
|
||||
"mappings": {
|
||||
"_meta": {
|
||||
"beat": "packetbeat",
|
||||
|
|
@ -4640,4 +4640,4 @@
|
|||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
Binary file not shown.
|
|
@ -3,7 +3,7 @@
|
|||
"value": {
|
||||
"aliases": {
|
||||
},
|
||||
"index": "ft_module_siem_winlogbeat",
|
||||
"index": "ft_module_security_winlogbeat",
|
||||
"mappings": {
|
||||
"_meta": {
|
||||
"beat": "winlogbeat",
|
||||
|
|
@ -4219,4 +4219,4 @@
|
|||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Loading…
Add table
Add a link
Reference in a new issue