github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 17:59:23 -04:00
Code Issues Projects Releases Packages Wiki Activity

[ML] Adding v3 modules for Security_Linux and Security_Windows and Deprecating v1 + v2 (#131166)

Browse source 
* consolidate Security ML Modules

* removal of auditbeat host processes ecs module

* removing siem_winlogbeat_auth after consolidating into windows_security

* renamed to avoid job collisions

* Update recognize_module.ts

removed references to deprecated v1 modules which no longer exist

* test fixes

remove references to deprecated module and modify module names to match the latest v3 modules being committed.

* Update recognize_module.ts

think this is what the linter wants

* deprecating winlogbeat and auditbeat modules

* fixes test post-deprecation of modules

* fixes typo in test

* revert linting changes

* revert linting changes pt2

* fixing test in setup_module.ts

* ml module refactor

* manifest, job, and datafeed cleanup based on PR feedback

* commenting out security solution tests for ML Modules

* modified ml module tests and job descriptions

* Update datafeed_auth_high_count_logon_events_for_a_source_ip.json

added test for existence of source.ip field per https://github.com/elastic/kibana/issues/131376

* Update datafeed_auth_high_count_logon_events_for_a_source_ip.json

formatting

* descriptions

standardized descriptions between Linux and Windows jobs; removed the term "services" from the rare process jobs because it has a special meaning under Windows and is the target of a different job; added a sentence to the sudo job description, I think this was a stub description that never got fleshed out when it was developed.

* tags

added job tags

* tags

added Linux job tags

* tags

* linting

remove a dup json element

* Update v3_windows_anomalous_script.json

add the Security: Windows prefix which was missing

* Update v3_linux_anomalous_network_activity.json

missing bracket

* Update v3_windows_anomalous_script.json

the prefix was in the wrong place

Co-authored-by: Craig Chamberlain <randomuserid@users.noreply.github.com>
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
This commit is contained in:
Bobby Filar 2022-05-18 09:33:46 -05:00 committed by GitHub
parent 31bb2c7fc5
commit f85c39e5f6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
148 changed files with 2220 additions and 3314 deletions
Download patch file Download diff file Expand all files Collapse all files

12
x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts_ecs/kibana/dashboard/ml_auditbeat_hosts_process_event_rate_ecs.json
View file

@ -1,12 +0,0 @@
{
"title": "ML Auditbeat Hosts: Process Event Rate (ECS)",
"hits": 0,
"description": "Investigate unusual process event rates on a host",
"panelsJSON": "[{\"size_x\":6,\"size_y\":4,\"row\":1,\"col\":1,\"id\":\"ml_auditbeat_hosts_process_event_rate_vis_ecs\",\"panelIndex\":\"1\",\"type\":\"visualization\"},{\"size_x\":6,\"size_y\":4,\"row\":1,\"col\":7,\"id\":\"ml_auditbeat_hosts_process_event_rate_by_process_ecs\",\"panelIndex\":\"2\",\"type\":\"visualization\"},{\"size_x\":12,\"size_y\":8,\"row\":5,\"col\":1,\"panelIndex\":\"3\",\"type\":\"search\",\"id\":\"ml_auditbeat_hosts_process_events_ecs\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
}
}

12
x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts_ecs/kibana/dashboard/ml_auditbeat_hosts_process_explorer_ecs.json
View file

@ -1,12 +0,0 @@
{
"title": "ML Auditbeat Hosts: Process Explorer (ECS)",
"hits": 0,
"description": "Explore processes on a host",
"panelsJSON": "[{\"size_x\": 6,\"size_y\": 4,\"row\": 1,\"col\": 1,\"id\": \"ml_auditbeat_hosts_process_occurrence_ecs\",\"panelIndex\": \"1\",\"type\": \"visualization\"},{\"size_x\": 12,\"size_y\": 8,\"row\": 5,\"col\": 1,\"panelIndex\": \"2\",\"type\": \"search\",\"id\": \"ml_auditbeat_hosts_process_events_ecs\"},{\"size_x\": 6,\"size_y\": 4,\"row\": 1,\"col\": 7,\"panelIndex\": \"3\",\"type\": \"visualization\",\"id\": \"ml_auditbeat_hosts_process_event_rate_by_process_ecs\"}\n]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
}
}

19
x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts_ecs/kibana/search/ml_auditbeat_hosts_process_events_ecs.json
View file

@ -1,19 +0,0 @@
{
"title": "ML Auditbeat Hosts: Process Events (ECS)",
"description": "Auditbeat auditd process events on host machines",
"hits": 0,
"columns": [
"host.name",
"auditd.data.syscall",
"process.executable",
"process.title"
],
"sort": [
"@timestamp",
"desc"
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"INDEX_PATTERN_ID\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"index\":\"INDEX_PATTERN_ID\",\"negate\":true,\"disabled\":false,\"alias\":null,\"type\":\"exists\",\"key\":\"container.runtime\",\"value\":\"exists\"},\"exists\":{\"field\":\"container.runtime\"},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"index\":\"INDEX_PATTERN_ID\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"event.module\",\"value\":\"auditd\",\"params\":{\"query\":\"auditd\"}},\"query\":{\"match\":{\"event.module\":{\"query\":\"auditd\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"index\":\"INDEX_PATTERN_ID\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"exists\",\"key\":\"auditd.data.syscall\",\"value\":\"exists\"},\"exists\":{\"field\":\"auditd.data.syscall\"},\"$state\":{\"store\":\"appState\"}}]}"
}
}

11
x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts_ecs/kibana/visualization/ml_auditbeat_hosts_process_event_rate_by_process_ecs.json
View file

@ -1,11 +0,0 @@
{
"title": "ML Auditbeat Hosts: Process Event Rate by Process (ECS)",
"visState": "{\"type\": \"histogram\",\"params\": {\"type\": \"histogram\",\"grid\": {\"categoryLines\": false,\"style\": {\"color\": \"#eee\"}},\"categoryAxes\": [{\"id\": \"CategoryAxis-1\",\"type\": \"category\",\"position\": \"bottom\",\"show\": true,\"style\": {},\"scale\": {\"type\": \"linear\"},\"labels\": {\"show\": true,\"truncate\": 100},\"title\": {}}],\"valueAxes\": [{\"id\": \"ValueAxis-1\",\"name\": \"LeftAxis-1\",\"type\": \"value\",\"position\": \"left\",\"show\": true,\"style\": {},\"scale\": {\"type\": \"linear\",\"mode\": \"normal\"},\"labels\": {\"show\": true,\"rotate\": 0,\"filter\": false,\"truncate\": 100},\"title\": {\"text\": \"Count\"}}],\"seriesParams\": [{\"show\": \"true\",\"type\": \"histogram\",\"mode\": \"stacked\",\"data\": {\"label\": \"Count\",\"id\": \"1\"},\"valueAxis\": \"ValueAxis-1\",\"drawLinesBetweenPoints\": true,\"showCircles\": true}],\"addTooltip\": true,\"addLegend\": true,\"legendPosition\": \"right\",\"times\": [],\"addTimeMarker\": false},\"aggs\": [{\"id\": \"1\",\"enabled\": true,\"type\": \"count\",\"schema\": \"metric\",\"params\": {}},{\"id\": \"2\",\"enabled\": true,\"type\": \"date_histogram\",\"schema\": \"segment\",\"params\": {\"field\": \"@timestamp\",\"useNormalizedEsInterval\": true,\"interval\": \"auto\",\"time_zone\": \"UTC\",\"drop_partials\": false,\"customInterval\": \"2h\",\"min_doc_count\": 1,\"extended_bounds\": {}}},{\"id\": \"3\",\"enabled\": true,\"type\": \"terms\",\"schema\": \"group\",\"params\": {\"field\": \"process.executable\",\"size\": 10,\"order\": \"desc\",\"orderBy\": \"1\",\"otherBucket\": false,\"otherBucketLabel\": \"Other\",\"missingBucket\": false,\"missingBucketLabel\": \"Missing\"}}]}",
"uiStateJSON": "{}",
"description": "",
"savedSearchId": "ml_auditbeat_hosts_process_events_ecs",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
}
}

11
x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts_ecs/kibana/visualization/ml_auditbeat_hosts_process_event_rate_vis_ecs.json
View file

@ -1,11 +0,0 @@
{
"title": "ML Auditbeat Hosts: Process Event Rate (ECS)",
"visState":"{\"type\": \"line\",\"params\": {\"type\": \"line\",\"grid\": {\"categoryLines\": false,\"style\": {\"color\": \"#eee\"}},\"categoryAxes\": [{\"id\": \"CategoryAxis-1\",\"type\": \"category\",\"position\": \"bottom\",\"show\": true,\"style\": {},\"scale\": {\"type\": \"linear\"},\"labels\": {\"show\": true,\"truncate\": 100},\"title\": {}}],\"valueAxes\": [{\"id\": \"ValueAxis-1\",\"name\": \"LeftAxis-1\",\"type\": \"value\",\"position\": \"left\",\"show\": true,\"style\": {},\"scale\": {\"type\": \"linear\",\"mode\": \"normal\"},\"labels\": {\"show\": true,\"rotate\": 0,\"filter\": false,\"truncate\": 100},\"title\": {\"text\": \"Count\"}}],\"seriesParams\": [{\"show\": \"true\",\"type\": \"line\",\"mode\": \"normal\",\"data\": {\"label\": \"Count\",\"id\": \"1\"},\"valueAxis\": \"ValueAxis-1\",\"drawLinesBetweenPoints\": true,\"showCircles\": true}],\"addTooltip\": true,\"addLegend\": true,\"legendPosition\": \"right\",\"times\": [],\"addTimeMarker\": false},\"aggs\": [{\"id\": \"1\",\"enabled\": true,\"type\": \"count\",\"schema\": \"metric\",\"params\": {}},{\"id\": \"2\",\"enabled\": true,\"type\": \"date_histogram\",\"schema\": \"segment\",\"params\": {\"field\": \"@timestamp\",\"useNormalizedEsInterval\": true,\"interval\": \"auto\",\"time_zone\": \"UTC\",\"drop_partials\": false,\"customInterval\": \"2h\",\"min_doc_count\": 1,\"extended_bounds\": {}}},{\"id\": \"3\",\"enabled\": true,\"type\": \"terms\",\"schema\": \"group\",\"params\": {\"field\": \"host.name\",\"size\": 10,\"order\": \"desc\",\"orderBy\": \"1\",\"otherBucket\": false,\"otherBucketLabel\": \"Other\",\"missingBucket\": false,\"missingBucketLabel\": \"Missing\"}}]}",
"uiStateJSON": "{}",
"description": "",
"savedSearchId": "ml_auditbeat_hosts_process_events_ecs",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
}
}

11
x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts_ecs/kibana/visualization/ml_auditbeat_hosts_process_occurrence_ecs.json
View file

@ -1,11 +0,0 @@
{
"title": "ML Auditbeat Hosts: Process Occurrence - experimental (ECS)",
"visState": "{\"type\":\"vega\",\"params\":{\"spec\":\"{\\n $schema: https://vega.github.io/schema/vega-lite/v4.json\\n width: \\\"container\\\"\\n mark: {type: \\\"point\\\"}\\n data: {\\n url: {\\n index: \\\"INDEX_PATTERN_NAME\\\"\\n body: {\\n size: 10000\\n query: {\\n bool: {\\n must: [\\n %dashboard_context-must_clause%\\n {\\n exists: {field: \\\"process.executable\\\"}\\n }\\n {\\n function_score: {\\n random_score: {seed: 10, field: \\\"_seq_no\\\"}\\n }\\n }\\n {\\n range: {\\n @timestamp: {\\n %timefilter%: true\\n }\\n }\\n }\\n ]\\n must_not: [\\n \\\"%dashboard_context-must_not_clause%\\\"\\n ]\\n }\\n }\\n script_fields: {\\n process_exe: {\\n script: {source: \\\"params['_source']['process']['executable']\\\"}\\n }\\n }\\n _source: [\\\"@timestamp\\\", \\\"process_exe\\\"]\\n }\\n }\\n format: {property: \\\"hits.hits\\\"}\\n }\\n transform: [\\n {calculate: \\\"toDate(datum._source['@timestamp'])\\\", as: \\\"time\\\"}\\n ]\\n encoding: {\\n x: {\\n field: time\\n type: temporal\\n axis: {labels: true, ticks: true, title: false},\\n timeUnit: utcyearmonthdatehoursminutes\\n }\\n y: {\\n field: fields.process_exe\\n type: ordinal\\n sort: {op: \\\"count\\\", order: \\\"descending\\\"}\\n axis: {labels: true, title: \\\"occurrence of process.executable\\\", ticks: false}\\n }\\n }\\n config: {\\n style: {\\n point: {filled: true}\\n }\\n }\\n}\"},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"savedSearchId": "ml_auditbeat_hosts_process_events_ecs",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
}
}

3
x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts_ecs/logo.json
View file

@ -1,3 +0,0 @@
{
"icon": "auditbeatApp"
}

76
x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts_ecs/manifest.json
View file

@ -1,76 +0,0 @@
{
"id": "auditbeat_process_hosts_ecs",
"title": "Auditbeat host processes",
"description": "Detect unusual processes on hosts from auditd data (ECS).",
"type": "Auditbeat data",
"logoFile": "logo.json",
"defaultIndexPattern": "auditbeat-*",
"query": {
"bool": {
"filter": [
{ "term": { "event.module": "auditd" } }
],
"must": {
"exists": { "field": "auditd.data.syscall" }
},
"must_not": [
{ "exists": { "field": "container.runtime" } },
{ "terms": { "_tier": [ "data_frozen", "data_cold" ] } }
]
}
},
"jobs": [
{
"id": "hosts_high_count_process_events_ecs",
"file": "hosts_high_count_process_events_ecs.json"
},
{
"id": "hosts_rare_process_activity_ecs",
"file": "hosts_rare_process_activity_ecs.json"
}
],
"datafeeds": [
{
"id": "datafeed-hosts_high_count_process_events_ecs",
"file": "datafeed_hosts_high_count_process_events_ecs.json",
"job_id": "hosts_high_count_process_events_ecs"
},
{
"id": "datafeed-hosts_rare_process_activity_ecs",
"file": "datafeed_hosts_rare_process_activity_ecs.json",
"job_id": "hosts_rare_process_activity_ecs"
}
],
"kibana": {
"dashboard": [
{
"id": "ml_auditbeat_hosts_process_event_rate_ecs",
"file": "ml_auditbeat_hosts_process_event_rate_ecs.json"
},
{
"id": "ml_auditbeat_hosts_process_explorer_ecs",
"file": "ml_auditbeat_hosts_process_explorer_ecs.json"
}
],
"search": [
{
"id": "ml_auditbeat_hosts_process_events_ecs",
"file": "ml_auditbeat_hosts_process_events_ecs.json"
}
],
"visualization": [
{
"id": "ml_auditbeat_hosts_process_event_rate_by_process_ecs",
"file": "ml_auditbeat_hosts_process_event_rate_by_process_ecs.json"
},
{
"id": "ml_auditbeat_hosts_process_event_rate_vis_ecs",
"file": "ml_auditbeat_hosts_process_event_rate_vis_ecs.json"
},
{
"id": "ml_auditbeat_hosts_process_occurrence_ecs",
"file": "ml_auditbeat_hosts_process_occurrence_ecs.json"
}
]
}
}

19
x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts_ecs/ml/datafeed_hosts_high_count_process_events_ecs.json
View file

@ -1,19 +0,0 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"query": {
"bool": {
"filter": [
{ "term": { "event.module": "auditd" } }
],
"must": {
"exists": { "field": "auditd.data.syscall" }
},
"must_not": {
"exists": { "field": "container.runtime" }
}
}
}
}

19
x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts_ecs/ml/datafeed_hosts_rare_process_activity_ecs.json
View file

@ -1,19 +0,0 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"query": {
"bool": {
"filter": [
{ "term": { "event.module": "auditd" } }
],
"must": {
"exists": { "field": "auditd.data.syscall" }
},
"must_not": {
"exists": { "field": "container.runtime" }
}
}
}
}

38
x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts_ecs/ml/hosts_high_count_process_events_ecs.json
View file

@ -1,38 +0,0 @@
{
"job_type": "anomaly_detector",
"description": "Auditbeat Hosts: Detect unusual increases in process execution rates (ECS)",
"groups": ["auditd"],
"analysis_config": {
"bucket_span": "1h",
"detectors": [
{
"detector_description": "High process rate on hosts",
"function": "high_non_zero_count",
"partition_field_name": "host.name"
}
],
"influencers": ["host.name", "process.executable"]
},
"analysis_limits": {
"model_memory_limit": "256mb"
},
"data_description": {
"time_field": "@timestamp",
"time_format": "epoch_ms"
},
"custom_settings": {
"created_by": "ml-module-auditbeat-process-hosts",
"custom_urls": [
{
"url_name": "Process rate",
"time_range": "1h",
"url_value": "dashboards#/view/ml_auditbeat_hosts_process_event_rate_ecs?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))&_a=(filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:\u0027INDEX_PATTERN_ID\u0027,key:event.module,negate:!f,params:(query:auditd),type:phrase,value:auditd),query:(match:(event.module:(query:auditd,type:phrase)))),('$state':(store:appState),exists:(field:container.runtime),meta:(alias:!n,disabled:!f,index:\u0027INDEX_PATTERN_ID\u0027,key:container.runtime,negate:!t,type:exists,value:exists)),('$state':(store:appState),exists:(field:auditd.data.syscall),meta:(alias:!n,disabled:!f,index:\u0027INDEX_PATTERN_ID\u0027,key:auditd.data.syscall,negate:!f,type:exists,value:exists))),query:(language:kuery,query:\u0027host.name:\u0022$host.name$\u0022\u0027))"
},
{
"url_name": "Raw data",
"time_range": "1h",
"url_value": "discover#/?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))&_a=(index:\u0027INDEX_PATTERN_ID\u0027,query:(language:kuery,query:\u0027host.name:\u0022$host.name$\u0022\u0027))"
}
]
}
}

39
x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts_ecs/ml/hosts_rare_process_activity_ecs.json
View file

@ -1,39 +0,0 @@
{
"job_type": "anomaly_detector",
"description": "Auditbeat Hosts: Detect rare process executions on hosts (ECS)",
"groups": ["auditd"],
"analysis_config": {
"bucket_span": "1h",
"detectors": [
{
"detector_description": "Rare process execution on hosts",
"function": "rare",
"by_field_name": "process.executable",
"partition_field_name": "host.name"
}
],
"influencers": ["host.name", "process.executable"]
},
"analysis_limits": {
"model_memory_limit": "256mb"
},
"data_description": {
"time_field": "@timestamp",
"time_format": "epoch_ms"
},
"custom_settings": {
"created_by": "ml-module-auditbeat-process-hosts",
"custom_urls": [
{
"url_name": "Process explorer",
"time_range": "1h",
"url_value": "dashboards#/view/ml_auditbeat_hosts_process_explorer_ecs?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))&_a=(filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:\u0027INDEX_PATTERN_ID\u0027,key:event.module,negate:!f,params:(query:auditd),type:phrase,value:auditd),query:(match:(event.module:(query:auditd,type:phrase)))),('$state':(store:appState),exists:(field:container.runtime),meta:(alias:!n,disabled:!f,index:\u0027INDEX_PATTERN_ID\u0027,key:container.runtime,negate:!t,type:exists,value:exists)),('$state':(store:appState),exists:(field:auditd.data.syscall),meta:(alias:!n,disabled:!f,index:\u0027INDEX_PATTERN_ID\u0027,key:auditd.data.syscall,negate:!f,type:exists,value:exists))),query:(language:kuery,query:\u0027host.name:\u0022$host.name$\u0022\u0027))"
},
{
"url_name": "Raw data",
"time_range": "1h",
"url_value": "discover#/?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))&_a=(index:\u0027INDEX_PATTERN_ID\u0027,query:(language:kuery,query:\u0027host.name:\u0022$host.name$\u0022 AND process.executable:\u0022$process.executable$\u0022\u0027))"
}
]
}
}

9
x-pack/plugins/ml/server/models/data_recognizer/modules/security_auth/manifest.json
View file

@ -41,6 +41,10 @@
{
"id": "auth_rare_user",
"file": "auth_rare_user.json"
},
{
"id": "suspicious_login_activity",
"file": "suspicious_login_activity.json"
}
],
"datafeeds": [
@ -73,6 +77,11 @@
"id": "datafeed-auth_rare_user",
"file": "datafeed_auth_rare_user.json",
"job_id": "auth_rare_user"
},
{
"id": "datafeed-suspicious_login_activity",
"file": "datafeed_suspicious_login_activity.json",
"job_id": "suspicious_login_activity"
}
]
}

23
x-pack/plugins/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_high_count_logon_events_for_a_source_ip.json
View file

@ -5,19 +5,16 @@
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.category": "authentication"
}
},
{
"term": {
"event.outcome": "success"
}
"bool": {
"filter": [{"exists": {"field": "source.ip"}}],
"must": [
{"bool": {
"should": [
{"term": {"event.category": "authentication"}},
{"term": {"event.outcome": "success"}}
]
}}
]
}
]
}
}
}

0
x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat_auth/ml/datafeed_suspicious_login_activity_ecs.json → x-pack/plugins/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_suspicious_login_activity.json
View file

0
x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat_auth/ml/suspicious_login_activity_ecs.json → x-pack/plugins/ml/server/models/data_recognizer/modules/security_auth/ml/suspicious_login_activity.json
View file

2
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/logo.json
View file

@ -1,3 +1,3 @@
{
"icon": "logoSecurity"
}
}

141
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/manifest.json
View file

@ -1,10 +1,10 @@
{
"id": "security_linux",
"id": "security_linux_v3",
"title": "Security: Linux",
"description": "Detect suspicious activity using ECS Linux events. Tested with Auditbeat and the Elastic agent.",
"description": "Anomaly detection jobs for Linux host based threat hunting and detection.",
"type": "linux data",
"logoFile": "logo.json",
"defaultIndexPattern": "auditbeat-*,logs-endpoint.events.*",
"defaultIndexPattern": "auditbeat-*,logs-*",
"query": {
"bool": {
"should": [
@ -40,66 +40,137 @@
}
}
}
],
"must_not": { "terms": { "_tier": [ "data_frozen", "data_cold" ] } }
]
}
},
"jobs": [
{
"id": "v2_rare_process_by_host_linux_ecs",
"file": "v2_rare_process_by_host_linux_ecs.json"
"id": "v3_linux_anomalous_network_port_activity",
"file": "v3_linux_anomalous_network_port_activity.json"
},
{
"id": "v2_linux_rare_metadata_user",
"file": "v2_linux_rare_metadata_user.json"
"id": "v3_linux_network_configuration_discovery",
"file": "v3_linux_network_configuration_discovery.json"
},
{
"id": "v2_linux_rare_metadata_process",
"file": "v2_linux_rare_metadata_process.json"
"id": "v3_linux_network_connection_discovery",
"file": "v3_linux_network_connection_discovery.json"
},
{
"id": "v2_linux_anomalous_user_name_ecs",
"file": "v2_linux_anomalous_user_name_ecs.json"
"id": "v3_linux_rare_sudo_user",
"file": "v3_linux_rare_sudo_user.json"
},
{
"id": "v2_linux_anomalous_process_all_hosts_ecs",
"file": "v2_linux_anomalous_process_all_hosts_ecs.json"
"id": "v3_linux_rare_user_compiler",
"file": "v3_linux_rare_user_compiler.json"
},
{
"id": "v2_linux_anomalous_network_port_activity_ecs",
"file": "v2_linux_anomalous_network_port_activity_ecs.json"
"id": "v3_linux_system_information_discovery",
"file": "v3_linux_system_information_discovery.json"
},
{
"id": "v3_linux_system_process_discovery",
"file": "v3_linux_system_process_discovery.json"
},
{
"id": "v3_linux_system_user_discovery",
"file": "v3_linux_system_user_discovery.json"
},
{
"id": "v3_linux_anomalous_process_all_hosts",
"file": "v3_linux_anomalous_process_all_hosts.json"
},
{
"id": "v3_linux_anomalous_user_name",
"file": "v3_linux_anomalous_user_name.json"
},
{
"id": "v3_linux_rare_metadata_process",
"file": "v3_linux_rare_metadata_process.json"
},
{
"id": "v3_linux_rare_metadata_user",
"file": "v3_linux_rare_metadata_user.json"
},
{
"id": "v3_rare_process_by_host_linux",
"file": "v3_rare_process_by_host_linux.json"
},
{
"id": "v3_linux_anomalous_network_activity",
"file": "v3_linux_anomalous_network_activity.json"
}
],
"datafeeds": [
{
"id": "datafeed-v2_rare_process_by_host_linux_ecs",
"file": "datafeed_v2_rare_process_by_host_linux_ecs.json",
"job_id": "v2_rare_process_by_host_linux_ecs"
"id": "datafeed-v3_linux_anomalous_network_port_activity",
"file": "datafeed_v3_linux_anomalous_network_port_activity.json",
"job_id": "v3_linux_anomalous_network_port_activity"
},
{
"id": "datafeed-v2_linux_rare_metadata_user",
"file": "datafeed_v2_linux_rare_metadata_user.json",
"job_id": "v2_linux_rare_metadata_user"
"id": "datafeed-v3_linux_network_configuration_discovery",
"file": "datafeed_v3_linux_network_configuration_discovery.json",
"job_id": "v3_linux_network_configuration_discovery"
},
{
"id": "datafeed-v2_linux_rare_metadata_process",
"file": "datafeed_v2_linux_rare_metadata_process.json",
"job_id": "v2_linux_rare_metadata_process"
"id": "datafeed-v3_linux_network_connection_discovery",
"file": "datafeed_v3_linux_network_connection_discovery.json",
"job_id": "v3_linux_network_connection_discovery"
},
{
"id": "datafeed-v2_linux_anomalous_user_name_ecs",
"file": "datafeed_v2_linux_anomalous_user_name_ecs.json",
"job_id": "v2_linux_anomalous_user_name_ecs"
"id": "datafeed-v3_linux_rare_sudo_user",
"file": "datafeed_v3_linux_rare_sudo_user.json",
"job_id": "v3_linux_rare_sudo_user"
},
{
"id": "datafeed-v2_linux_anomalous_process_all_hosts_ecs",
"file": "datafeed_v2_linux_anomalous_process_all_hosts_ecs.json",
"job_id": "v2_linux_anomalous_process_all_hosts_ecs"
"id": "datafeed-v3_linux_rare_user_compiler",
"file": "datafeed_v3_linux_rare_user_compiler.json",
"job_id": "v3_linux_rare_user_compiler"
},
{
"id": "datafeed-v2_linux_anomalous_network_port_activity_ecs",
"file": "datafeed_v2_linux_anomalous_network_port_activity_ecs.json",
"job_id": "v2_linux_anomalous_network_port_activity_ecs"
"id": "datafeed-v3_linux_system_information_discovery",
"file": "datafeed_v3_linux_system_information_discovery.json",
"job_id": "v3_linux_system_information_discovery"
},
{
"id": "datafeed-v3_linux_system_process_discovery",
"file": "datafeed_v3_linux_system_process_discovery.json",
"job_id": "v3_linux_system_process_discovery"
},
{
"id": "datafeed-v3_linux_system_user_discovery",
"file": "datafeed_v3_linux_system_user_discovery.json",
"job_id": "v3_linux_system_user_discovery"
},
{
"id": "datafeed-v3_linux_anomalous_process_all_hosts",
"file": "datafeed_v3_linux_anomalous_process_all_hosts.json",
"job_id": "v3_linux_anomalous_process_all_hosts"
},
{
"id": "datafeed-v3_linux_anomalous_user_name",
"file": "datafeed_v3_linux_anomalous_user_name.json",
"job_id": "v3_linux_anomalous_user_name"
},
{
"id": "datafeed-v3_linux_rare_metadata_process",
"file": "datafeed_v3_linux_rare_metadata_process.json",
"job_id": "v3_linux_rare_metadata_process"
},
{
"id": "datafeed-v3_linux_rare_metadata_user",
"file": "datafeed_v3_linux_rare_metadata_user.json",
"job_id": "v3_linux_rare_metadata_user"
},
{
"id": "datafeed-v3_rare_process_by_host_linux",
"file": "datafeed_v3_rare_process_by_host_linux.json",
"job_id": "v3_rare_process_by_host_linux"
},
{
"id": "datafeed-v3_linux_anomalous_network_activity",
"file": "datafeed_v3_linux_anomalous_network_activity.json",
"job_id": "v3_linux_anomalous_network_activity"
}
]
}

71
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v2_linux_anomalous_user_name_ecs.json
View file

@ -1,71 +0,0 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.category": "process"
}
},
{
"term": {
"event.type": "start"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.type": {
"query": "linux",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "debian",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "redhat",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "suse",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "ubuntu",
"operator": "OR"
}
}
}
]
}
}
]
}
}
}

66
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v2_linux_rare_metadata_user.json
View file

@ -1,66 +0,0 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"destination.ip": "169.254.169.254"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.type": {
"query": "linux",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "debian",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "redhat",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "suse",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "ubuntu",
"operator": "OR"
}
}
}
]
}
}
]
}
}
}

51
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v2_linux_rare_metadata_process.json → x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_anomalous_network_activity.json
View file

@ -1,23 +1,21 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool":
{
"term": {
"destination.ip": "169.254.169.254"
}
}
],
"must": [
"filter": [
{"term": {"event.category": "network"}},
{"term": {"event.type": "start"}}
],
"must": [
{
"bool": {
"should": [
{
{
"match": {
"host.os.type": {
"query": "linux",
@ -33,7 +31,7 @@
}
}
},
{
{
"match": {
"host.os.family": {
"query": "redhat",
@ -41,7 +39,7 @@
}
}
},
{
{
"match": {
"host.os.family": {
"query": "suse",
@ -49,7 +47,7 @@
}
}
},
{
{
"match": {
"host.os.family": {
"query": "ubuntu",
@ -60,7 +58,20 @@
]
}
}
]
],
"must_not": [
{
"bool": {
"should": [
{"term": {"destination.ip": "127.0.0.1"}},
{"term": {"destination.ip": "127.0.0.53"}},
{"term": {"destination.ip": "::"}},
{"term": {"destination.ip": "::1"}},
{"term": {"user.name":"jenkins"}}
]
}
}
]
}
}
}
}

3
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v2_linux_anomalous_network_port_activity_ecs.json → x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_anomalous_network_port_activity.json
View file

@ -64,6 +64,7 @@
"bool": {
"should": [
{"term": {"destination.ip": "127.0.0.1"}},
{"term": {"destination.ip": "127.0.0.53"}},
{"term": {"destination.ip": "::"}},
{"term": {"destination.ip": "::1"}},
{"term": {"user.name":"jenkins"}}
@ -73,4 +74,4 @@
]
}
}
}
}

101
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_anomalous_process_all_hosts.json Normal file
View file

@ -0,0 +1,101 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.category": "process"
}
},
{
"term": {
"event.type": "start"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.type": {
"query": "linux",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "debian",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "redhat",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "suse",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "ubuntu",
"operator": "OR"
}
}
}
]
}
}
],
"must_not": [
{
"bool": {
"should": [
{
"term": {
"user.name": "jenkins-worker"
}
},
{
"term": {
"user.name": "jenkins-user"
}
},
{
"term": {
"user.name": "jenkins"
}
},
{
"wildcard": {
"process.name": {
"wildcard": "jenkins*"
}
}
}
]
}
}
]
}
}
}

71
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_anomalous_user_name.json Normal file
View file

@ -0,0 +1,71 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.category": "process"
}
},
{
"term": {
"event.type": "start"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.type": {
"query": "linux",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "debian",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "redhat",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "suse",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "ubuntu",
"operator": "OR"
}
}
}
]
}
}
]
}
}
}

44
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v2_linux_anomalous_process_all_hosts_ecs.json → x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_network_configuration_discovery.json
View file

@ -7,11 +7,6 @@
"query": {
"bool": {
"filter": [
{
"term": {
"event.category": "process"
}
},
{
"term": {
"event.type": "start"
@ -38,7 +33,7 @@
}
}
},
{
{
"match": {
"host.os.family": {
"query": "redhat",
@ -46,7 +41,7 @@
}
}
},
{
{
"match": {
"host.os.family": {
"query": "suse",
@ -54,7 +49,7 @@
}
}
},
{
{
"match": {
"host.os.family": {
"query": "ubuntu",
@ -64,32 +59,43 @@
}
]
}
}
],
"must_not": [
},
{
"bool": {
"should": [
{
"term": {
"user.name": "jenkins-worker"
"process.name": "arp"
}
},
{
"term": {
"user.name": "jenkins-user"
"process.name": "echo"
}
},
{
"term": {
"user.name": "jenkins"
"process.name": "ethtool"
}
},
{
"wildcard": {
"process.name": {
"wildcard": "jenkins*"
}
"term": {
"process.name": "ifconfig"
}
},
{
"term": {
"process.name": "ip"
}
},
{
"term": {
"process.name": "iptables"
}
},
{
"term": {
"process.name": "ufw"
}
}
]
@ -98,4 +104,4 @@
]
}
}
}
}

92
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_network_connection_discovery.json Normal file
View file

@ -0,0 +1,92 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.type": "start"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.type": {
"query": "linux",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "debian",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "redhat",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "suse",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "ubuntu",
"operator": "OR"
}
}
}
]
}
},
{
"bool": {
"should": [
{
"term": {
"process.name": "netstat"
}
},
{
"term": {
"process.name": "ss"
}
},
{
"term": {
"process.name": "route"
}
},
{
"term": {
"process.name": "showmount"
}
}
]
}
}
]
}
}
}

66
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_metadata_process.json Normal file
View file

@ -0,0 +1,66 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"destination.ip": "169.254.169.254"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.type": {
"query": "linux",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "debian",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "redhat",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "suse",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "ubuntu",
"operator": "OR"
}
}
}
]
}
}
]
}
}
}

66
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_metadata_user.json Normal file
View file

@ -0,0 +1,66 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"destination.ip": "169.254.169.254"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.type": {
"query": "linux",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "debian",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "redhat",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "suse",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "ubuntu",
"operator": "OR"
}
}
}
]
}
}
]
}
}
}

71
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_sudo_user.json Normal file
View file

@ -0,0 +1,71 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.type": "start"
}
},
{
"term": {
"process.name": "sudo"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.type": {
"query": "linux",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "debian",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "redhat",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "suse",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "ubuntu",
"operator": "OR"
}
}
}
]
}
}
]
}
}
}

92
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_user_compiler.json Normal file
View file

@ -0,0 +1,92 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.type": "start"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.type": {
"query": "linux",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "debian",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "redhat",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "suse",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "ubuntu",
"operator": "OR"
}
}
}
]
}
},
{
"bool": {
"should": [
{
"term": {
"process.name": "compile"
}
},
{
"term": {
"process.name": "gcc"
}
},
{
"term": {
"process.name": "make"
}
},
{
"term": {
"process.name": "yasm"
}
}
]
}
}
]
}
}
}

132
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_system_information_discovery.json Normal file
View file

@ -0,0 +1,132 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.type": "start"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.type": {
"query": "linux",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "debian",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "redhat",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "suse",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "ubuntu",
"operator": "OR"
}
}
}
]
}
},
{
"bool": {
"should": [
{
"term": {
"process.name": "cat"
}
},
{
"term": {
"process.name": "grep"
}
},
{
"term": {
"process.name": "head"
}
},
{
"term": {
"process.name": "hostname"
}
},
{
"term": {
"process.name": "less"
}
},
{
"term": {
"process.name": "ls"
}
},
{
"term": {
"process.name": "lsmod"
}
},
{
"term": {
"process.name": "more"
}
},
{
"term": {
"process.name": "strings"
}
},
{
"term": {
"process.name": "tail"
}
},
{
"term": {
"process.name": "uptime"
}
},
{
"term": {
"process.name": "uname"
}
}
]
}
}
]
}
}
}

23
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v2_rare_process_by_host_linux_ecs.json → x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_system_process_discovery.json
View file

@ -7,11 +7,6 @@
"query": {
"bool": {
"filter": [
{
"term": {
"event.category": "process"
}
},
{
"term": {
"event.type": "start"
@ -64,8 +59,24 @@
}
]
}
},
{
"bool": {
"should": [
{
"term": {
"process.name": "ps"
}
},
{
"term": {
"process.name": "top"
}
}
]
}
}
]
}
}
}
}

92
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_system_user_discovery.json Normal file
View file

@ -0,0 +1,92 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.type": "start"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.type": {
"query": "linux",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "debian",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "redhat",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "suse",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "ubuntu",
"operator": "OR"
}
}
}
]
}
},
{
"bool": {
"should": [
{
"term": {
"process.name": "users"
}
},
{
"term": {
"process.name": "w"
}
},
{
"term": {
"process.name": "who"
}
},
{
"term": {
"process.name": "whoami"
}
}
]
}
}
]
}
}
}

71
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_rare_process_by_host_linux.json Normal file
View file

@ -0,0 +1,71 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.category": "process"
}
},
{
"term": {
"event.type": "start"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.type": {
"query": "linux",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "debian",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "redhat",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "suse",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "ubuntu",
"operator": "OR"
}
}
}
]
}
}
]
}
}
}

36
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/v2_linux_rare_metadata_process.json
View file

@ -1,36 +0,0 @@
{
"job_type": "anomaly_detector",
"description": "This is a new refactored job which works on ECS compatible events across multiple indices. Security: Linux - Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
"groups": [
"security",
"auditbeat",
"endpoint",
"linux",
"process"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"process.name\"",
"function": "rare",
"by_field_name": "process.name"
}
],
"influencers": [
"host.name",
"user.name",
"process.name"
]
},
"allow_lazy_open": true,
"analysis_limits": {
"model_memory_limit": "32mb"
},
"data_description": {
"time_field": "@timestamp"
},
"custom_settings": {
"created_by": "ml-module-security-linux"
}
}

35
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/v2_linux_rare_metadata_user.json
View file

@ -1,35 +0,0 @@
{
"job_type": "anomaly_detector",
"description": "This is a new refactored job which works on ECS compatible events across multiple indices. Security: Linux - Looks for anomalous access to the metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
"groups": [
"security",
"auditbeat",
"endpoint",
"linux",
"process"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"user.name\"",
"function": "rare",
"by_field_name": "user.name"
}
],
"influencers": [
"host.name",
"user.name"
]
},
"allow_lazy_open": true,
"analysis_limits": {
"model_memory_limit": "32mb"
},
"data_description": {
"time_field": "@timestamp"
},
"custom_settings": {
"created_by": "ml-module-security-linux"
}
}

63
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_network_activity.json Normal file
View file

@ -0,0 +1,63 @@
{
"job_type": "anomaly_detector",
"description": "Security: Linux - Looks for unusual processes using the network which could indicate command-and-control, lateral movement, persistence, or data exfiltration activity.",
"groups": [
"auditbeat",
"endpoint",
"linux",
"network",
"security"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "Detects rare process.name values.",
"function": "rare",
"by_field_name": "process.name"
}
],
"influencers": [
"host.name",
"process.name",
"user.name",
"destination.ip"
]
},
"allow_lazy_open": true,
"analysis_limits": {
"model_memory_limit": "64mb"
},
"data_description": {
"time_field": "@timestamp"
},
"custom_settings": {
"custom_settings": {
"job_tags": {
"euid": "4004",
"maturity": "release",
"author": "@randomuserid/Elastic",
"version": "3",
"updated_date": "5/16/2022"
},
"custom_urls": [
{
"url_name": "Host Details by process name",
"url_value": "siem#/ml-hosts/$host.name$?_g=()&kqlQuery=(filterQuery:(expression:'process.name%20:%20%22$process.name$%22',kind:kuery),queryLocation:hosts.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Host Details by user name",
"url_value": "siem#/ml-hosts/$host.name$?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:hosts.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by process name",
"url_value": "siem#/ml-hosts?_g=()&kqlQuery=(filterQuery:(expression:'process.name%20:%20%22$process.name$%22',kind:kuery),queryLocation:hosts.page,type:page)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by user name",
"url_value": "siem#/ml-hosts?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:hosts.page,type:page)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
}
]
}
}
}

13
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/v2_linux_anomalous_network_port_activity_ecs.json → x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_network_port_activity.json
View file

@ -1,6 +1,6 @@
{
"job_type": "anomaly_detector",
"description": "This is a new refactored job which works on ECS compatible events across multiple indices. Security: Linux - Looks for unusual destination port activity that could indicate command-and-control, persistence mechanism, or data exfiltration activity.",
"description": "Security: Linux - Looks for unusual destination port activity that could indicate command-and-control, persistence mechanism, or data exfiltration activity.",
"groups": [
"security",
"auditbeat",
@ -12,7 +12,7 @@
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"destination.port\"",
"detector_description": "Detects rare destination.port values.",
"function": "rare",
"by_field_name": "destination.port"
}
@ -32,7 +32,14 @@
"time_field": "@timestamp"
},
"custom_settings": {
"created_by": "ml-module-security-linux",
"job_tags": {
"euid": "4005",
"maturity": "release",
"author": "@randomuserid/Elastic",
"version": "3",
"updated_date": "5/16/2022"
},
"created_by": "ml-module-security-linux-v3",
"custom_urls": [
{
"url_name": "Host Details by process name",

24
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/v2_rare_process_by_host_linux_ecs.json → x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_process_all_hosts.json
View file

@ -1,21 +1,21 @@
{
"job_type": "anomaly_detector",
"description": "This is a new refactored job which works on ECS compatible events across multiple indices. Security: Linux - Looks for processes that are unusual to a particular Linux host. Such unusual processes may indicate unauthorized services, malware, or persistence mechanisms.",
"description": "Security: Linux - Looks for processes that are unusual to all Linux hosts. Such unusual processes may indicate unauthorized software, malware, or persistence mechanisms.",
"groups": [
"security",
"auditbeat",
"endpoint",
"linux",
"process"
"process",
"security"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare process executions on Linux",
"detector_description": "Detects rare process.name values.",
"function": "rare",
"by_field_name": "process.name",
"partition_field_name": "host.name"
"detector_index": 0
}
],
"influencers": [
@ -26,12 +26,22 @@
},
"allow_lazy_open": true,
"analysis_limits": {
"model_memory_limit": "256mb"
"model_memory_limit": "512mb",
"categorization_examples_limit": 4
},
"data_description": {
"time_field": "@timestamp"
"time_field": "@timestamp",
"time_format": "epoch_ms"
},
"custom_settings": {
"job_tags": {
"euid": "4003",
"maturity": "release",
"author": "@randomuserid/Elastic",
"version": "3",
"updated_date": "5/16/2022"
},
"created_by": "ml-module-security-linux",
"custom_urls": [
{

24
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/v2_linux_anomalous_user_name_ecs.json → x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_user_name.json
View file

@ -1,20 +1,21 @@
{
"job_type": "anomaly_detector",
"description": "Security: Linux - Rare and unusual users that are not normally active may indicate unauthorized changes or activity by an unauthorized user which may be credentialed access or lateral movement.",
"groups": [
"security",
"auditbeat",
"endpoint",
"linux",
"process"
"process",
"security"
],
"description": "This is a new refactored job which works on ECS compatible events across multiple indices. Security: Linux - Rare and unusual users that are not normally active may indicate unauthorized changes or activity by an unauthorized user which may be credentialed access or lateral movement.",
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"user.name\"",
"detector_description": "Detects rare user.name values.",
"function": "rare",
"by_field_name": "user.name"
"by_field_name": "user.name",
"detector_index": 0
}
],
"influencers": [
@ -25,12 +26,21 @@
},
"allow_lazy_open": true,
"analysis_limits": {
"model_memory_limit": "32mb"
"model_memory_limit": "32mb",
"categorization_examples_limit": 4
},
"data_description": {
"time_field": "@timestamp"
"time_field": "@timestamp",
"time_format": "epoch_ms"
},
"custom_settings": {
"job_tags": {
"euid": "4008",
"maturity": "release",
"author": "@randomuserid/Elastic",
"version": "3",
"updated_date": "5/16/2022"
},
"created_by": "ml-module-security-linux",
"custom_urls": [
{

17
x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/linux_network_connection_discovery.json → x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_network_configuration_discovery.json
View file

@ -1,16 +1,18 @@
{
"job_type": "anomaly_detector",
"description": "Security: Auditbeat - Looks for commands related to system network connection discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network connection discovery in order to increase their understanding of connected services and systems. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.",
"description": "Security: Linux - Looks for commands related to system network configuration discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network configuration discovery to increase their understanding of connected networks and hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.",
"groups": [
"security",
"auditbeat",
"endpoint",
"linux",
"process"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"user.name\"",
"detector_description": "Detects rare user.name values.",
"function": "rare",
"by_field_name": "user.name"
}
@ -30,7 +32,14 @@
"time_field": "@timestamp"
},
"custom_settings": {
"created_by": "ml-module-siem-auditbeat",
"job_tags": {
"euid": "40012",
"maturity": "release",
"author": "@randomuserid/Elastic",
"version": "3",
"updated_date": "5/16/2022"
},
"created_by": "ml-module-security-linux-v3",
"custom_urls": [
{
"url_name": "Host Details by process name",
@ -50,4 +59,4 @@
}
]
}
}
}

17
x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/linux_network_configuration_discovery.json → x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_network_connection_discovery.json
View file

@ -1,16 +1,18 @@
{
"job_type": "anomaly_detector",
"description": "Security: Auditbeat - Looks for commands related to system network configuration discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network configuration discovery in order to increase their understanding of connected networks and hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.",
"description": "Security: Linux - Looks for commands related to system network connection discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network connection discovery to increase their understanding of connected services and systems. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.",
"groups": [
"security",
"auditbeat",
"endpoint",
"linux",
"process"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"user.name\"",
"detector_description": "Detects rare user.name values.",
"function": "rare",
"by_field_name": "user.name"
}
@ -30,7 +32,14 @@
"time_field": "@timestamp"
},
"custom_settings": {
"created_by": "ml-module-siem-auditbeat",
"job_tags": {
"euid": "4013",
"maturity": "release",
"author": "@randomuserid/Elastic",
"version": "3",
"updated_date": "5/16/2022"
},
"created_by": "ml-module-security-linux-v3",
"custom_urls": [
{
"url_name": "Host Details by process name",
@ -50,4 +59,4 @@
}
]
}
}
}

45
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_metadata_process.json Normal file
View file

@ -0,0 +1,45 @@
{
"job_type": "anomaly_detector",
"description": "Security: Linux - Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
"groups": [
"auditbeat",
"endpoint",
"linux",
"process",
"security"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "Detects rare process.name values.",
"function": "rare",
"by_field_name": "process.name",
"detector_index": 0
}
],
"influencers": [
"host.name",
"user.name",
"process.name"
]
},
"allow_lazy_open": true,
"analysis_limits": {
"model_memory_limit": "32mb",
"categorization_examples_limit": 4
},
"data_description": {
"time_field": "@timestamp",
"time_format": "epoch_ms"
},
"custom_settings": {
"job_tags": {
"euid": "4009",
"maturity": "release",
"author": "@randomuserid/Elastic",
"version": "3",
"updated_date": "5/16/2022"
},
"created_by": "ml-module-security-linux" }
}

45
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_metadata_user.json Normal file
View file

@ -0,0 +1,45 @@
{
"job_type": "anomaly_detector",
"description": "Security: Linux - Looks for anomalous access to the metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
"groups": [
"auditbeat",
"endpoint",
"linux",
"process",
"security"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "Detects rare user.name values.",
"function": "rare",
"by_field_name": "user.name",
"detector_index": 0
}
],
"influencers": [
"host.name",
"user.name"
]
},
"allow_lazy_open": true,
"analysis_limits": {
"model_memory_limit": "32mb",
"categorization_examples_limit": 4
},
"data_description": {
"time_field": "@timestamp",
"time_format": "epoch_ms"
},
"custom_settings": {
"job_tags": {
"euid": "4010",
"maturity": "release",
"author": "@randomuserid/Elastic",
"version": "3",
"updated_date": "5/16/2022"
},
"created_by": "ml-module-security-linux"
}
}

17
x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/linux_rare_sudo_user.json → x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_sudo_user.json
View file

@ -1,16 +1,18 @@
{
"job_type": "anomaly_detector",
"description": "Security: Auditbeat - Looks for sudo activity from an unusual user context.",
"description": "Security: Linux - Looks for sudo activity from an unusual user context. Unusual user context changes can be due to privilege escalation.",
"groups": [
"security",
"auditbeat",
"endpoint",
"linux",
"process"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"user.name\"",
"detector_description": "Detects rare user.name values.",
"function": "rare",
"by_field_name": "user.name"
}
@ -30,7 +32,14 @@
"time_field": "@timestamp"
},
"custom_settings": {
"created_by": "ml-module-siem-auditbeat",
"job_tags": {
"euid": "4017",
"maturity": "release",
"author": "@randomuserid/Elastic",
"version": "3",
"updated_date": "5/16/2022"
},
"created_by": "ml-module-security-linux-v3",
"custom_urls": [
{
"url_name": "Host Details by process name",
@ -50,4 +59,4 @@
}
]
}
}
}

17
x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/linux_rare_user_compiler.json → x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_user_compiler.json
View file

@ -1,16 +1,18 @@
{
"job_type": "anomaly_detector",
"description": "Security: Auditbeat - Looks for compiler activity by a user context which does not normally run compilers. This can be ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run exploits or malware activity.",
"description": "Security: Linux - Looks for compiler activity by a user context which does not normally run compilers. This can be ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run exploits or malware activity.",
"groups": [
"security",
"auditbeat",
"endpoint",
"linux",
"process"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"user.name\"",
"detector_description": "Detects rare user.name values.",
"function": "rare",
"by_field_name": "user.name"
}
@ -30,7 +32,14 @@
"time_field": "@timestamp"
},
"custom_settings": {
"created_by": "ml-module-siem-auditbeat",
"job_tags": {
"euid": "4018",
"maturity": "release",
"author": "@randomuserid/Elastic",
"version": "3",
"updated_date": "5/16/2022"
},
"created_by": "ml-module-security-linux-v3",
"custom_urls": [
{
"url_name": "Host Details by user name",
@ -42,4 +51,4 @@
}
]
}
}
}

17
x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/linux_system_process_discovery.json → x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_system_information_discovery.json
View file

@ -1,16 +1,18 @@
{
"job_type": "anomaly_detector",
"description": "Security: Auditbeat - Looks for commands related to system process discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system process discovery in order to increase their understanding of software applications running on a target host or network. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.",
"description": "Security: Linux - Looks for commands related to system information discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system information discovery to gather detailed information about system configuration and software versions. This may be a precursor to the selection of a persistence mechanism or a method of privilege elevation.",
"groups": [
"security",
"auditbeat",
"endpoint",
"linux",
"process"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"user.name\"",
"detector_description": "Detects rare user.name values.",
"function": "rare",
"by_field_name": "user.name"
}
@ -30,7 +32,14 @@
"time_field": "@timestamp"
},
"custom_settings": {
"created_by": "ml-module-siem-auditbeat",
"job_tags": {
"euid": "4014",
"maturity": "release",
"author": "@randomuserid/Elastic",
"version": "3",
"updated_date": "5/16/2022"
},
"created_by": "ml-module-security-linux-v3",
"custom_urls": [
{
"url_name": "Host Details by process name",
@ -50,4 +59,4 @@
}
]
}
}
}

17
x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/linux_system_user_discovery.json → x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_system_process_discovery.json
View file

@ -1,16 +1,18 @@
{
"job_type": "anomaly_detector",
"description": "Security: Auditbeat - Looks for commands related to system user or owner discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system owner or user discovery in order to identify currently active or primary users of a system. This may be a precursor to additional discovery, credential dumping or privilege elevation activity.",
"description": "Security: Linux - Looks for commands related to system process discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system process discovery to increase their understanding of software applications running on a target host or network. This may be a precursor to the selection of a persistence mechanism or a method of privilege elevation.",
"groups": [
"security",
"auditbeat",
"endpoint",
"linux",
"process"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"user.name\"",
"detector_description": "Detects rare user.name values.",
"function": "rare",
"by_field_name": "user.name"
}
@ -30,7 +32,14 @@
"time_field": "@timestamp"
},
"custom_settings": {
"created_by": "ml-module-siem-auditbeat",
"job_tags": {
"euid": "4015",
"maturity": "release",
"author": "@randomuserid/Elastic",
"version": "3",
"updated_date": "5/16/2022"
},
"created_by": "ml-module-security-linux-v3",
"custom_urls": [
{
"url_name": "Host Details by process name",
@ -50,4 +59,4 @@
}
]
}
}
}

15
x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/linux_system_information_discovery.json → x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_system_user_discovery.json
View file

@ -1,16 +1,18 @@
{
"job_type": "anomaly_detector",
"description": "Security: Auditbeat - Looks for commands related to system information discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system information discovery in order to gather detailed information about system configuration and software versions. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.",
"description": "Security: Linux - Looks for commands related to system user or owner discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system owner or user discovery to identify currently active or primary users of a system. This may be a precursor to additional discovery, credential dumping, or privilege elevation activity.",
"groups": [
"security",
"auditbeat",
"endpoint",
"linux",
"process"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"user.name\"",
"detector_description": "Detects rare user.name values.",
"function": "rare",
"by_field_name": "user.name"
}
@ -30,7 +32,14 @@
"time_field": "@timestamp"
},
"custom_settings": {
"created_by": "ml-module-siem-auditbeat",
"job_tags": {
"euid": "4016",
"maturity": "release",
"author": "@randomuserid/Elastic",
"version": "3",
"updated_date": "5/16/2022"
},
"created_by": "ml-module-security-linux-v3",
"custom_urls": [
{
"url_name": "Host Details by process name",

25
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/v2_linux_anomalous_process_all_hosts_ecs.json → x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/v3_rare_process_by_host_linux.json
View file

@ -1,20 +1,22 @@
{
"job_type": "anomaly_detector",
"description": "This is a new refactored job which works on ECS compatible events across multiple indices. Security: Linux - Looks for processes that are unusual to all Linux hosts. Such unusual processes may indicate unauthorized services, malware, or persistence mechanisms.",
"description": "Security: Linux - Looks for processes that are unusual to a particular Linux host. Such unusual processes may indicate unauthorized software, malware, or persistence mechanisms.",
"groups": [
"security",
"auditbeat",
"endpoint",
"linux",
"process"
"process",
"security"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"process.name\"",
"detector_description": "For each host.name, detects rare process.name values.",
"function": "rare",
"by_field_name": "process.name"
"by_field_name": "process.name",
"partition_field_name": "host.name",
"detector_index": 0
}
],
"influencers": [
@ -25,12 +27,21 @@
},
"allow_lazy_open": true,
"analysis_limits": {
"model_memory_limit": "512mb"
"model_memory_limit": "256mb",
"categorization_examples_limit": 4
},
"data_description": {
"time_field": "@timestamp"
"time_field": "@timestamp",
"time_format": "epoch_ms"
},
"custom_settings": {
"job_tags": {
"euid": "4002",
"maturity": "release",
"author": "@randomuserid/Elastic",
"version": "3",
"updated_date": "5/16/2022"
},
"created_by": "ml-module-security-linux",
"custom_urls": [
{

2
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/logo.json
View file

@ -1,3 +1,3 @@
{
"icon": "logoSecurity"
}
}

125
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/manifest.json
View file

@ -1,10 +1,10 @@
{
"id": "security_windows",
"id": "security_windows_v3",
"title": "Security: Windows",
"description": "Detects suspicious activity using ECS Windows events. Tested with Winlogbeat and the Elastic agent.",
"description": "Anomaly detection jobs for Windows host based threat hunting and detection.",
"type": "windows data",
"logoFile": "logo.json",
"defaultIndexPattern": "winlogbeat-*,logs-endpoint.events.*",
"defaultIndexPattern": "winlogbeat-*,logs-*",
"query": {
"bool": {
"must": [
@ -30,84 +30,119 @@
]
}
}
],
"must_not": { "terms": { "_tier": [ "data_frozen", "data_cold" ] } }
]
}
},
"jobs": [
{
"id": "v2_rare_process_by_host_windows_ecs",
"file": "v2_rare_process_by_host_windows_ecs.json"
"id": "v3_windows_anomalous_service",
"file": "v3_windows_anomalous_service.json"
},
{
"id": "v2_windows_anomalous_network_activity_ecs",
"file": "v2_windows_anomalous_network_activity_ecs.json"
"id": "v3_windows_rare_user_runas_event",
"file": "v3_windows_rare_user_runas_event.json"
},
{
"id": "v2_windows_anomalous_path_activity_ecs",
"file": "v2_windows_anomalous_path_activity_ecs.json"
"id": "v3_windows_rare_user_type10_remote_login",
"file": "v3_windows_rare_user_type10_remote_login.json"
},
{
"id": "v2_windows_anomalous_process_all_hosts_ecs",
"file": "v2_windows_anomalous_process_all_hosts_ecs.json"
"id": "v3_rare_process_by_host_windows",
"file": "v3_rare_process_by_host_windows.json"
},
{
"id": "v2_windows_anomalous_process_creation",
"file": "v2_windows_anomalous_process_creation.json"
"id": "v3_windows_anomalous_network_activity",
"file": "v3_windows_anomalous_network_activity.json"
},
{
"id": "v2_windows_anomalous_user_name_ecs",
"file": "v2_windows_anomalous_user_name_ecs.json"
"id": "v3_windows_anomalous_path_activity",
"file": "v3_windows_anomalous_path_activity.json"
},
{
"id": "v2_windows_rare_metadata_process",
"file": "v2_windows_rare_metadata_process.json"
"id": "v3_windows_anomalous_process_all_hosts",
"file": "v3_windows_anomalous_process_all_hosts.json"
},
{
"id": "v2_windows_rare_metadata_user",
"file": "v2_windows_rare_metadata_user.json"
"id": "v3_windows_anomalous_process_creation",
"file": "v3_windows_anomalous_process_creation.json"
},
{
"id": "v3_windows_anomalous_user_name",
"file": "v3_windows_anomalous_user_name.json"
},
{
"id": "v3_windows_rare_metadata_process",
"file": "v3_windows_rare_metadata_process.json"
},
{
"id": "v3_windows_rare_metadata_user",
"file": "v3_windows_rare_metadata_user.json"
},
{
"id": "v3_windows_anomalous_script",
"file": "v3_windows_anomalous_script.json"
}
],
"datafeeds": [
{
"id": "datafeed-v2_rare_process_by_host_windows_ecs",
"file": "datafeed_v2_rare_process_by_host_windows_ecs.json",
"job_id": "v2_rare_process_by_host_windows_ecs"
"id": "datafeed-v3_windows_anomalous_service",
"file": "datafeed_v3_windows_anomalous_service.json",
"job_id": "v3_windows_anomalous_service"
},
{
"id": "datafeed-v2_windows_anomalous_network_activity_ecs",
"file": "datafeed_v2_windows_anomalous_network_activity_ecs.json",
"job_id": "v2_windows_anomalous_network_activity_ecs"
"id": "datafeed-v3_windows_rare_user_runas_event",
"file": "datafeed_v3_windows_rare_user_runas_event.json",
"job_id": "v3_windows_rare_user_runas_event"
},
{
"id": "datafeed-v2_windows_anomalous_path_activity_ecs",
"file": "datafeed_v2_windows_anomalous_path_activity_ecs.json",
"job_id": "v2_windows_anomalous_path_activity_ecs"
"id": "datafeed-v3_windows_rare_user_type10_remote_login",
"file": "datafeed_v3_windows_rare_user_type10_remote_login.json",
"job_id": "v3_windows_rare_user_type10_remote_login"
},
{
"id": "datafeed-v2_windows_anomalous_process_all_hosts_ecs",
"file": "datafeed_v2_windows_anomalous_process_all_hosts_ecs.json",
"job_id": "v2_windows_anomalous_process_all_hosts_ecs"
"id": "datafeed-v3_rare_process_by_host_windows",
"file": "datafeed_v3_rare_process_by_host_windows.json",
"job_id": "v3_rare_process_by_host_windows"
},
{
"id": "datafeed-v2_windows_anomalous_process_creation",
"file": "datafeed_v2_windows_anomalous_process_creation.json",
"job_id": "v2_windows_anomalous_process_creation"
"id": "datafeed-v3_windows_anomalous_network_activity",
"file": "datafeed_v3_windows_anomalous_network_activity.json",
"job_id": "v3_windows_anomalous_network_activity"
},
{
"id": "datafeed-v2_windows_anomalous_user_name_ecs",
"file": "datafeed_v2_windows_anomalous_user_name_ecs.json",
"job_id": "v2_windows_anomalous_user_name_ecs"
"id": "datafeed-v3_windows_anomalous_path_activity",
"file": "datafeed_v3_windows_anomalous_path_activity.json",
"job_id": "v3_windows_anomalous_path_activity"
},
{
"id": "datafeed-v2_windows_rare_metadata_process",
"file": "datafeed_v2_windows_rare_metadata_process.json",
"job_id": "v2_windows_rare_metadata_process"
"id": "datafeed-v3_windows_anomalous_process_all_hosts",
"file": "datafeed_v3_windows_anomalous_process_all_hosts.json",
"job_id": "v3_windows_anomalous_process_all_hosts"
},
{
"id": "datafeed-v2_windows_rare_metadata_user",
"file": "datafeed_v2_windows_rare_metadata_user.json",
"job_id": "v2_windows_rare_metadata_user"
"id": "datafeed-v3_windows_anomalous_process_creation",
"file": "datafeed_v3_windows_anomalous_process_creation.json",
"job_id": "v3_windows_anomalous_process_creation"
},
{
"id": "datafeed-v3_windows_anomalous_user_name",
"file": "datafeed_v3_windows_anomalous_user_name.json",
"job_id": "v3_windows_anomalous_user_name"
},
{
"id": "datafeed-v3_windows_rare_metadata_process",
"file": "datafeed_v3_windows_rare_metadata_process.json",
"job_id": "v3_windows_rare_metadata_process"
},
{
"id": "datafeed-v3_windows_rare_metadata_user",
"file": "datafeed_v3_windows_rare_metadata_user.json",
"job_id": "v3_windows_rare_metadata_user"
},
{
"id": "datafeed-v3_windows_anomalous_script",
"file": "datafeed_v3_windows_anomalous_script.json",
"job_id": "v3_windows_anomalous_script"
}
]
}

47
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v2_rare_process_by_host_windows_ecs.json
View file

@ -1,47 +0,0 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.category": "process"
}
},
{
"term": {
"event.type": "start"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.family": {
"query": "windows",
"operator": "OR"
}
}
},
{
"match": {
"host.os.type": {
"query": "windows",
"operator": "OR"
}
}
}
]
}
}
]
}
}
}

71
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v2_windows_anomalous_network_activity_ecs.json
View file

@ -1,71 +0,0 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.category": "network"
}
},
{
"term": {
"event.type": "start"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.family": {
"query": "windows",
"operator": "OR"
}
}
},
{
"match": {
"host.os.type": {
"query": "windows",
"operator": "OR"
}
}
}
]
}
}
],
"must_not": [
{
"bool": {
"should": [
{
"term": {
"destination.ip": "127.0.0.1"
}
},
{
"term": {
"destination.ip": "127.0.0.53"
}
},
{
"term": {
"destination.ip": "::1"
}
}
],
"minimum_should_match": 1
}
}
]
}
}
}

47
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v2_windows_anomalous_process_creation.json
View file

@ -1,47 +0,0 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.category": "process"
}
},
{
"term": {
"event.type": "start"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.family": {
"query": "windows",
"operator": "OR"
}
}
},
{
"match": {
"host.os.type": {
"query": "windows",
"operator": "OR"
}
}
}
]
}
}
]
}
}
}

47
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v2_windows_anomalous_user_name_ecs.json
View file

@ -1,47 +0,0 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.category": "process"
}
},
{
"term": {
"event.type": "start"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.family": {
"query": "windows",
"operator": "OR"
}
}
},
{
"match": {
"host.os.type": {
"query": "windows",
"operator": "OR"
}
}
}
]
}
}
]
}
}
}

23
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v2_windows_rare_metadata_process.json
View file

@ -1,23 +0,0 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"host.os.family": "windows"
}
},
{
"term": {
"destination.ip": "169.254.169.254"
}
}
]
}
}
}

23
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v2_windows_rare_metadata_user.json
View file

@ -1,23 +0,0 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"host.os.family": "windows"
}
},
{
"term": {
"destination.ip": "169.254.169.254"
}
}
]
}
}
}

47
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_rare_process_by_host_windows.json Normal file
View file

@ -0,0 +1,47 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.category": "process"
}
},
{
"term": {
"event.type": "start"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.family": {
"query": "windows",
"operator": "OR"
}
}
},
{
"match": {
"host.os.type": {
"query": "windows",
"operator": "OR"
}
}
}
]
}
}
]
}
}
}

71
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_network_activity.json Normal file
View file

@ -0,0 +1,71 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.category": "network"
}
},
{
"term": {
"event.type": "start"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.family": {
"query": "windows",
"operator": "OR"
}
}
},
{
"match": {
"host.os.type": {
"query": "windows",
"operator": "OR"
}
}
}
]
}
}
],
"must_not": [
{
"bool": {
"should": [
{
"term": {
"destination.ip": "127.0.0.1"
}
},
{
"term": {
"destination.ip": "127.0.0.53"
}
},
{
"term": {
"destination.ip": "::1"
}
}
],
"minimum_should_match": 1
}
}
]
}
}
}

47
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_path_activity.json Normal file
View file

@ -0,0 +1,47 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.category": "process"
}
},
{
"term": {
"event.type": "start"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.family": {
"query": "windows",
"operator": "OR"
}
}
},
{
"match": {
"host.os.type": {
"query": "windows",
"operator": "OR"
}
}
}
]
}
}
]
}
}
}

47
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_process_all_hosts.json Normal file
View file

@ -0,0 +1,47 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.category": "process"
}
},
{
"term": {
"event.type": "start"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.family": {
"query": "windows",
"operator": "OR"
}
}
},
{
"match": {
"host.os.type": {
"query": "windows",
"operator": "OR"
}
}
}
]
}
}
]
}
}
}

47
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_process_creation.json Normal file
View file

@ -0,0 +1,47 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.category": "process"
}
},
{
"term": {
"event.type": "start"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.family": {
"query": "windows",
"operator": "OR"
}
}
},
{
"match": {
"host.os.type": {
"query": "windows",
"operator": "OR"
}
}
}
]
}
}
]
}
}
}

7
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v2_windows_anomalous_path_activity_ecs.json → x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_script.json
View file

@ -9,12 +9,7 @@
"filter": [
{
"term": {
"event.category": "process"
}
},
{
"term": {
"event.type": "start"
"event.provider": "Microsoft-Windows-PowerShell"
}
}
],

9
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v2_windows_anomalous_process_all_hosts_ecs.json → x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_service.json
View file

@ -9,12 +9,7 @@
"filter": [
{
"term": {
"event.category": "process"
}
},
{
"term": {
"event.type": "start"
"event.code": "7045"
}
}
],
@ -44,4 +39,4 @@
]
}
}
}
}

47
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_anomalous_user_name.json Normal file
View file

@ -0,0 +1,47 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.category": "process"
}
},
{
"term": {
"event.type": "start"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.family": {
"query": "windows",
"operator": "OR"
}
}
},
{
"match": {
"host.os.type": {
"query": "windows",
"operator": "OR"
}
}
}
]
}
}
]
}
}
}

23
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_metadata_process.json Normal file
View file

@ -0,0 +1,23 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"host.os.family": "windows"
}
},
{
"term": {
"destination.ip": "169.254.169.254"
}
}
]
}
}
}

23
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_metadata_user.json Normal file
View file

@ -0,0 +1,23 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"host.os.family": "windows"
}
},
{
"term": {
"destination.ip": "169.254.169.254"
}
}
]
}
}
}

42
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_user_runas_event.json Normal file
View file

@ -0,0 +1,42 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.code": "4648"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.family": {
"query": "windows",
"operator": "OR"
}
}
},
{
"match": {
"host.os.type": {
"query": "windows",
"operator": "OR"
}
}
}
]
}
}
]
}
}
}

18
x-pack/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat_auth/ml/datafeed_windows_rare_user_type10_remote_login.json → x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_user_type10_remote_login.json
View file

@ -1,11 +1,11 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
@ -38,5 +38,5 @@
}
]
}
}
}
}
}

54
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/v2_windows_anomalous_path_activity_ecs.json
View file

@ -1,54 +0,0 @@
{
"job_type": "anomaly_detector",
"groups": [
"security",
"sysmon",
"windows",
"winlogbeat",
"process"
],
"description": "This is a new refactored job which works on ECS compatible events across multiple indices. Security: Windows - Looks for activity in unusual paths that may indicate execution of malware or persistence mechanisms. Windows payloads often execute from user profile paths.",
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"process.working_directory\"",
"function": "rare",
"by_field_name": "process.working_directory"
}
],
"influencers": [
"host.name",
"process.name",
"user.name"
]
},
"allow_lazy_open": true,
"analysis_limits": {
"model_memory_limit": "256mb"
},
"data_description": {
"time_field": "@timestamp"
},
"custom_settings": {
"created_by": "ml-module-security-windows",
"custom_urls": [
{
"url_name": "Host Details by process name",
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Host Details by user name",
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by process name",
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by user name",
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
}
]
}
}

38
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/v2_windows_rare_metadata_process.json
View file

@ -1,38 +0,0 @@
{
"job_type": "anomaly_detector",
"description": "This is a new refactored job which works on ECS compatible events across multiple indices. Security: Windows - Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
"groups": [
"security",
"endpoint",
"event-log",
"process",
"sysmon",
"windows",
"winlogbeat"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"process.name\"",
"function": "rare",
"by_field_name": "process.name"
}
],
"influencers": [
"process.name",
"host.name",
"user.name"
]
},
"allow_lazy_open": true,
"analysis_limits": {
"model_memory_limit": "32mb"
},
"data_description": {
"time_field": "@timestamp"
},
"custom_settings": {
"created_by": "ml-module-security-windows"
}
}

37
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/v2_windows_rare_metadata_user.json
View file

@ -1,37 +0,0 @@
{
"job_type": "anomaly_detector",
"description": "This is a new refactored job which works on ECS compatible events across multiple indices. Security: Windows - Looks for anomalous access to the metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
"groups": [
"security",
"endpoint",
"event-log",
"process",
"sysmon",
"windows",
"winlogbeat"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"user.name\"",
"function": "rare",
"by_field_name": "user.name"
}
],
"influencers": [
"host.name",
"user.name"
]
},
"allow_lazy_open": true,
"analysis_limits": {
"model_memory_limit": "32mb"
},
"data_description": {
"time_field": "@timestamp"
},
"custom_settings": {
"created_by": "ml-module-security-windows"
}
}

26
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/v2_rare_process_by_host_windows_ecs.json → x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/v3_rare_process_by_host_windows.json
View file

@ -1,23 +1,24 @@
{
"job_type": "anomaly_detector",
"description": "This is a new refactored job which works on ECS compatible events across multiple indices. Security: Windows - Detects unusually rare processes on Windows hosts.",
"description": "Security: Windows - Looks for processes that are unusual to a particular Windows host. Such unusual processes may indicate unauthorized software, malware, or persistence mechanisms.",
"groups": [
"security",
"endpoint",
"event-log",
"process",
"security",
"sysmon",
"windows",
"winlogbeat",
"process"
"winlogbeat"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare process executions on Windows",
"detector_description": "For each host.name, detects rare process.name values.",
"function": "rare",
"by_field_name": "process.name",
"partition_field_name": "host.name"
"partition_field_name": "host.name",
"detector_index": 0
}
],
"influencers": [
@ -28,12 +29,21 @@
},
"allow_lazy_open": true,
"analysis_limits": {
"model_memory_limit": "256mb"
"model_memory_limit": "256mb",
"categorization_examples_limit": 4
},
"data_description": {
"time_field": "@timestamp"
"time_field": "@timestamp",
"time_format": "epoch_ms"
},
"custom_settings": {
"job_tags": {
"euid": "8001",
"maturity": "release",
"author": "@randomuserid/Elastic",
"version": "3",
"updated_date": "5/16/2022"
},
"created_by": "ml-module-security-windows",
"custom_urls": [
{

28
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/v2_windows_anomalous_network_activity_ecs.json → x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_network_activity.json
View file

@ -1,21 +1,22 @@
{
"job_type": "anomaly_detector",
"description": "This is a new refactored job which works on ECS compatible events across multiple indices. Security: Windows - Looks for unusual processes using the network which could indicate command-and-control, lateral movement, persistence, or data exfiltration activity.",
"description": "Security: Windows - Looks for unusual processes using the network which could indicate command-and-control, lateral movement, persistence, or data exfiltration activity.",
"groups": [
"security",
"endpoint",
"network",
"security",
"sysmon",
"windows",
"winlogbeat",
"network"
"winlogbeat"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"process.name\"",
"detector_description": "Detects rare process.name values.",
"function": "rare",
"by_field_name": "process.name"
"by_field_name": "process.name",
"detector_index": 0
}
],
"influencers": [
@ -27,12 +28,21 @@
},
"allow_lazy_open": true,
"analysis_limits": {
"model_memory_limit": "64mb"
"model_memory_limit": "64mb",
"categorization_examples_limit": 4
},
"data_description": {
"time_field": "@timestamp"
"time_field": "@timestamp",
"time_format": "epoch_ms"
},
"custom_settings": {
"job_tags": {
"euid": "8003",
"maturity": "release",
"author": "@randomuserid/Elastic",
"version": "3",
"updated_date": "5/16/2022"
},
"created_by": "ml-module-security-windows",
"custom_urls": [
{
@ -53,4 +63,4 @@
}
]
}
}
}

65
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_path_activity.json Normal file
View file

@ -0,0 +1,65 @@
{
"job_type": "anomaly_detector",
"description": "Security: Windows - Looks for activity in unusual paths that may indicate execution of malware or persistence mechanisms. Windows payloads often execute from user profile paths.",
"groups": [
"endpoint",
"network",
"security",
"sysmon",
"windows",
"winlogbeat"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "Detects rare process.working_directory values.",
"function": "rare",
"by_field_name": "process.working_directory",
"detector_index": 0
}
],
"influencers": [
"host.name",
"process.name",
"user.name"
]
},
"allow_lazy_open": true,
"analysis_limits": {
"model_memory_limit": "256mb",
"categorization_examples_limit": 4
},
"data_description": {
"time_field": "@timestamp",
"time_format": "epoch_ms"
},
"custom_settings": {
"job_tags": {
"euid": "8004",
"maturity": "release",
"author": "@randomuserid/Elastic",
"version": "3",
"updated_date": "5/16/2022"
},
"created_by": "ml-module-security-windows",
"custom_urls": [
{
"url_name": "Host Details by process name",
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Host Details by user name",
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by process name",
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by user name",
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
}
]
}
}

26
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/v2_windows_anomalous_user_name_ecs.json → x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_process_all_hosts.json
View file

@ -1,22 +1,23 @@
{
"job_type": "anomaly_detector",
"description": "This is a new refactored job which works on ECS compatible events across multiple indices. Security: Windows - Rare and unusual users that are not normally active may indicate unauthorized changes or activity by an unauthorized user which may be credentialed access or lateral movement.",
"description": "Security: Windows - Looks for processes that are unusual to all Windows hosts. Such unusual processes may indicate execution of unauthorized software, malware, or persistence mechanisms.",
"groups": [
"security",
"endpoint",
"event-log",
"process",
"security",
"sysmon",
"windows",
"winlogbeat",
"process"
"winlogbeat"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"user.name\"",
"detector_description": "Detects rare process.executable values.",
"function": "rare",
"by_field_name": "user.name"
"by_field_name": "process.executable",
"detector_index": 0
}
],
"influencers": [
@ -27,12 +28,21 @@
},
"allow_lazy_open": true,
"analysis_limits": {
"model_memory_limit": "256mb"
"model_memory_limit": "256mb",
"categorization_examples_limit": 4
},
"data_description": {
"time_field": "@timestamp"
"time_field": "@timestamp",
"time_format": "epoch_ms"
},
"custom_settings": {
"job_tags": {
"euid": "8002",
"maturity": "release",
"author": "@randomuserid/Elastic",
"version": "3",
"updated_date": "5/16/2022"
},
"created_by": "ml-module-security-windows",
"custom_urls": [
{

26
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/v2_windows_anomalous_process_creation.json → x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_process_creation.json
View file

@ -1,23 +1,24 @@
{
"job_type": "anomaly_detector",
"description": "Security: Windows - Looks for unusual process relationships which may indicate execution of malware or persistence mechanisms.",
"groups": [
"security",
"endpoint",
"event-log",
"process",
"security",
"sysmon",
"windows",
"winlogbeat",
"process"
"winlogbeat"
],
"description": "This is a new refactored job which works on ECS compatible events across multiple indices. Security: Windows - Looks for unusual process relationships which may indicate execution of malware or persistence mechanisms.",
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "Unusual process creation activity",
"detector_description": "For each process.parent.name, detects rare process.name values.",
"function": "rare",
"by_field_name": "process.name",
"partition_field_name": "process.parent.name"
"partition_field_name": "process.parent.name",
"detector_index": 0
}
],
"influencers": [
@ -28,12 +29,21 @@
},
"allow_lazy_open": true,
"analysis_limits": {
"model_memory_limit": "256mb"
"model_memory_limit": "256mb",
"categorization_examples_limit": 4
},
"data_description": {
"time_field": "@timestamp"
"time_field": "@timestamp",
"time_format": "epoch_ms"
},
"custom_settings": {
"job_tags": {
"euid": "8005",
"maturity": "release",
"author": "@randomuserid/Elastic",
"version": "3",
"updated_date": "5/16/2022"
},
"created_by": "ml-module-security-windows",
"custom_urls": [
{

53
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_script.json Normal file
View file

@ -0,0 +1,53 @@
{
"job_type": "anomaly_detector",
"description": "Security: Windows - Looks for unusual powershell scripts that may indicate execution of malware, or persistence mechanisms.",
"groups": [
"endpoint",
"event-log",
"process",
"windows",
"winlogbeat",
"powershell"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "Detects high information content in powershell.file.script_block_text values.",
"function": "high_info_content",
"field_name": "powershell.file.script_block_text"
}
],
"influencers": [
"host.name",
"user.name",
"file.Path"
]
},
"allow_lazy_open": true,
"analysis_limits": {
"model_memory_limit": "256mb"
},
"data_description": {
"time_field": "@timestamp"
},
"custom_settings": {
"job_tags": {
"euid": "8006",
"maturity": "release",
"author": "@randomuserid/Elastic",
"version": "3",
"updated_date": "5/16/2022"
},
"custom_urls": [
{
"url_name": "Host Details by user name",
"url_value": "siem#/ml-hosts/$host.name$?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:hosts.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by user name",
"url_value": "siem#/ml-hosts?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:hosts.page,type:page)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
}
]
}
}

21
x-pack/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/windows_anomalous_service.json → x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_service.json
View file

@ -1,16 +1,20 @@
{
"job_type": "anomaly_detector",
"groups": [
"endpoint",
"event-log",
"process",
"security",
"winlogbeat",
"system"
"sysmon",
"windows",
"winlogbeat"
],
"description": "Security: Winlogbeat - Looks for rare and unusual Windows services which may indicate execution of unauthorized services, malware, or persistence mechanisms.",
"description": "Security: Windows - Looks for rare and unusual Windows service names which may indicate execution of unauthorized services, malware, or persistence mechanisms.",
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"winlog.event_data.ServiceName\"",
"detector_description": "Detects rare winlog.event_data.ServiceName values.",
"function": "rare",
"by_field_name": "winlog.event_data.ServiceName"
}
@ -28,7 +32,14 @@
"time_field": "@timestamp"
},
"custom_settings": {
"created_by": "ml-module-siem-winlogbeat",
"job_tags": {
"euid": "8007",
"maturity": "release",
"author": "@randomuserid/Elastic",
"version": "3",
"updated_date": "5/16/2022"
},
"created_by": "ml-module-security-windows-v3",
"custom_urls": [
{
"url_name": "Host Details",

26
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/v2_windows_anomalous_process_all_hosts_ecs.json → x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_anomalous_user_name.json
View file

@ -1,22 +1,23 @@
{
"job_type": "anomaly_detector",
"description": "This is a new refactored job which works on ECS compatible events across multiple indices. Security: Windows - Looks for processes that are unusual to all Windows hosts. Such unusual processes may indicate execution of unauthorized services, malware, or persistence mechanisms.",
"description": "Security: Windows - Rare and unusual users that are not normally active may indicate unauthorized changes or activity by an unauthorized user which may be credentialed access or lateral movement.",
"groups": [
"security",
"endpoint",
"event-log",
"process",
"security",
"sysmon",
"windows",
"winlogbeat",
"process"
"winlogbeat"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"process.executable\"",
"detector_description": "Detects rare user.name values.",
"function": "rare",
"by_field_name": "process.executable"
"by_field_name": "user.name",
"detector_index": 0
}
],
"influencers": [
@ -27,12 +28,21 @@
},
"allow_lazy_open": true,
"analysis_limits": {
"model_memory_limit": "256mb"
"model_memory_limit": "256mb",
"categorization_examples_limit": 4
},
"data_description": {
"time_field": "@timestamp"
"time_field": "@timestamp",
"time_format": "epoch_ms"
},
"custom_settings": {
"job_tags": {
"euid": "8008",
"maturity": "release",
"author": "@randomuserid/Elastic",
"version": "3",
"updated_date": "5/16/2022"
},
"created_by": "ml-module-security-windows",
"custom_urls": [
{

47
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_metadata_process.json Normal file
View file

@ -0,0 +1,47 @@
{
"job_type": "anomaly_detector",
"description": "Security: Windows - Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
"groups": [
"security",
"endpoint",
"process",
"sysmon",
"windows",
"winlogbeat"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "Detects rare process.name values.",
"function": "rare",
"by_field_name": "process.name",
"detector_index": 0
}
],
"influencers": [
"process.name",
"host.name",
"user.name"
]
},
"allow_lazy_open": true,
"analysis_limits": {
"model_memory_limit": "32mb",
"categorization_examples_limit": 4
},
"data_description": {
"time_field": "@timestamp",
"time_format": "epoch_ms"
},
"custom_settings": {
"job_tags": {
"euid": "8011",
"maturity": "release",
"author": "@randomuserid/Elastic",
"version": "3",
"updated_date": "5/16/2022"
},
"created_by": "ml-module-security-windows"
}
}

46
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_metadata_user.json Normal file
View file

@ -0,0 +1,46 @@
{
"job_type": "anomaly_detector",
"description": "Security: Windows - Looks for anomalous access to the metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
"groups": [
"endpoint",
"process",
"security",
"sysmon",
"windows",
"winlogbeat"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "Detects rare user.name values.",
"function": "rare",
"by_field_name": "user.name",
"detector_index": 0
}
],
"influencers": [
"host.name",
"user.name"
]
},
"allow_lazy_open": true,
"analysis_limits": {
"model_memory_limit": "32mb",
"categorization_examples_limit": 4
},
"data_description": {
"time_field": "@timestamp",
"time_format": "epoch_ms"
},
"custom_settings": {
"job_tags": {
"euid": "8012",
"maturity": "release",
"author": "@randomuserid/Elastic",
"version": "3",
"updated_date": "5/16/2022"
},
"created_by": "ml-module-security-windows"
}
}

16
x-pack/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat_auth/ml/windows_rare_user_type10_remote_login.json → x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_user_runas_event.json
View file

@ -1,8 +1,11 @@
{
"job_type": "anomaly_detector",
"description": "Security: Winlogbeat Auth - Unusual RDP (remote desktop protocol) user logins can indicate account takeover or credentialed access.",
"description": "Security: Windows - Unusual user context switches can be due to privilege escalation.",
"groups": [
"endpoint",
"event-log",
"security",
"windows",
"winlogbeat",
"authentication"
],
@ -10,7 +13,7 @@
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"user.name\"",
"detector_description": "Detects rare user.name values.",
"function": "rare",
"by_field_name": "user.name"
}
@ -29,7 +32,14 @@
"time_field": "@timestamp"
},
"custom_settings": {
"created_by": "ml-module-siem-winlogbeat-auth",
"job_tags": {
"euid": "8009",
"maturity": "release",
"author": "@randomuserid/Elastic",
"version": "3",
"updated_date": "5/16/2022"
},
"created_by": "ml-module-security-windows-v3",
"custom_urls": [
{
"url_name": "Host Details by process name",

16
x-pack/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/windows_rare_user_runas_event.json → x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_user_type10_remote_login.json
View file

@ -1,8 +1,11 @@
{
"job_type": "anomaly_detector",
"description": "Security: Winlogbeat - Unusual user context switches can be due to privilege escalation.",
"description": "Security: Windows - Unusual RDP (remote desktop protocol) user logins can indicate account takeover or credentialed access.",
"groups": [
"endpoint",
"event-log",
"security",
"windows",
"winlogbeat",
"authentication"
],
@ -10,7 +13,7 @@
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"user.name\"",
"detector_description": "Detects rare user.name values.",
"function": "rare",
"by_field_name": "user.name"
}
@ -29,7 +32,14 @@
"time_field": "@timestamp"
},
"custom_settings": {
"created_by": "ml-module-siem-winlogbeat",
"job_tags": {
"euid": "8013",
"maturity": "release",
"author": "@randomuserid/Elastic",
"version": "3",
"updated_date": "5/16/2022"
},
"created_by": "ml-module-security-windows-v3",
"custom_urls": [
{
"url_name": "Host Details by process name",

3
x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/logo.json
View file

@ -1,3 +0,0 @@
{
"icon": "logoSecurity"
}

173
x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/manifest.json
View file

@ -1,173 +0,0 @@
{
"id": "siem_auditbeat",
"title": "Security: Auditbeat",
"description": "Detect suspicious network activity and unusual processes in Auditbeat data.",
"type": "Auditbeat data",
"logoFile": "logo.json",
"defaultIndexPattern": "auditbeat-*",
"query": {
"bool": {
"filter": [
{"term": {"agent.type": "auditbeat"}}
],
"must_not": { "terms": { "_tier": [ "data_frozen", "data_cold" ] } }
}
},
"jobs": [
{
"id": "rare_process_by_host_linux_ecs",
"file": "rare_process_by_host_linux_ecs.json"
},
{
"id": "linux_anomalous_network_activity_ecs",
"file": "linux_anomalous_network_activity_ecs.json"
},
{
"id": "linux_anomalous_network_port_activity_ecs",
"file": "linux_anomalous_network_port_activity_ecs.json"
},
{
"id": "linux_anomalous_network_service",
"file": "linux_anomalous_network_service.json"
},
{
"id": "linux_anomalous_network_url_activity_ecs",
"file": "linux_anomalous_network_url_activity_ecs.json"
},
{
"id": "linux_anomalous_process_all_hosts_ecs",
"file": "linux_anomalous_process_all_hosts_ecs.json"
},
{
"id": "linux_anomalous_user_name_ecs",
"file": "linux_anomalous_user_name_ecs.json"
},
{
"id": "linux_rare_metadata_process",
"file": "linux_rare_metadata_process.json"
},
{
"id": "linux_rare_metadata_user",
"file": "linux_rare_metadata_user.json"
},
{
"id": "linux_rare_user_compiler",
"file": "linux_rare_user_compiler.json"
},
{
"id": "linux_rare_kernel_module_arguments",
"file": "linux_rare_kernel_module_arguments.json"
},
{
"id": "linux_rare_sudo_user",
"file": "linux_rare_sudo_user.json"
},
{
"id": "linux_system_user_discovery",
"file": "linux_system_user_discovery.json"
},
{
"id": "linux_system_information_discovery",
"file": "linux_system_information_discovery.json"
},
{
"id": "linux_system_process_discovery",
"file": "linux_system_process_discovery.json"
},
{
"id": "linux_network_connection_discovery",
"file": "linux_network_connection_discovery.json"
},
{
"id": "linux_network_configuration_discovery",
"file": "linux_network_configuration_discovery.json"
}
],
"datafeeds": [
{
"id": "datafeed-rare_process_by_host_linux_ecs",
"file": "datafeed_rare_process_by_host_linux_ecs.json",
"job_id": "rare_process_by_host_linux_ecs"
},
{
"id": "datafeed-linux_anomalous_network_activity_ecs",
"file": "datafeed_linux_anomalous_network_activity_ecs.json",
"job_id": "linux_anomalous_network_activity_ecs"
},
{
"id": "datafeed-linux_anomalous_network_port_activity_ecs",
"file": "datafeed_linux_anomalous_network_port_activity_ecs.json",
"job_id": "linux_anomalous_network_port_activity_ecs"
},
{
"id": "datafeed-linux_anomalous_network_service",
"file": "datafeed_linux_anomalous_network_service.json",
"job_id": "linux_anomalous_network_service"
},
{
"id": "datafeed-linux_anomalous_network_url_activity_ecs",
"file": "datafeed_linux_anomalous_network_url_activity_ecs.json",
"job_id": "linux_anomalous_network_url_activity_ecs"
},
{
"id": "datafeed-linux_anomalous_process_all_hosts_ecs",
"file": "datafeed_linux_anomalous_process_all_hosts_ecs.json",
"job_id": "linux_anomalous_process_all_hosts_ecs"
},
{
"id": "datafeed-linux_anomalous_user_name_ecs",
"file": "datafeed_linux_anomalous_user_name_ecs.json",
"job_id": "linux_anomalous_user_name_ecs"
},
{
"id": "datafeed-linux_rare_metadata_process",
"file": "datafeed_linux_rare_metadata_process.json",
"job_id": "linux_rare_metadata_process"
},
{
"id": "datafeed-linux_rare_metadata_user",
"file": "datafeed_linux_rare_metadata_user.json",
"job_id": "linux_rare_metadata_user"
},
{
"id": "datafeed-linux_rare_user_compiler",
"file": "datafeed_linux_rare_user_compiler.json",
"job_id": "linux_rare_user_compiler"
},
{
"id": "datafeed-linux_rare_kernel_module_arguments",
"file": "datafeed_linux_rare_kernel_module_arguments.json",
"job_id": "linux_rare_kernel_module_arguments"
},
{
"id": "datafeed-linux_rare_sudo_user",
"file": "datafeed_linux_rare_sudo_user.json",
"job_id": "linux_rare_sudo_user"
},
{
"id": "datafeed-linux_system_information_discovery",
"file": "datafeed_linux_system_information_discovery.json",
"job_id": "linux_system_information_discovery"
},
{
"id": "datafeed-linux_system_process_discovery",
"file": "datafeed_linux_system_process_discovery.json",
"job_id": "linux_system_process_discovery"
},
{
"id": "datafeed-linux_system_user_discovery",
"file": "datafeed_linux_system_user_discovery.json",
"job_id": "linux_system_user_discovery"
},
{
"id": "datafeed-linux_network_configuration_discovery",
"file": "datafeed_linux_network_configuration_discovery.json",
"job_id": "linux_network_configuration_discovery"
},
{
"id": "datafeed-linux_network_connection_discovery",
"file": "datafeed_linux_network_connection_discovery.json",
"job_id": "linux_network_connection_discovery"
}
]
}

27
x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_anomalous_network_activity_ecs.json
View file

@ -1,27 +0,0 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{"term": {"event.action": "connected-to"}},
{"term": {"agent.type": "auditbeat"}}
],
"must_not": [
{
"bool": {
"should": [
{"term": {"destination.ip": "127.0.0.1"}},
{"term": {"destination.ip": "127.0.0.53"}},
{"term": {"destination.ip": "::1"}}
],
"minimum_should_match": 1
}
}
]
}
}
}

28
x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_anomalous_network_port_activity_ecs.json
View file

@ -1,28 +0,0 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{"term": {"event.action": "connected-to"}},
{"term": {"agent.type": "auditbeat"}}
],
"must_not": [
{
"bool": {
"should": [
{"term": {"destination.ip":"::1"}},
{"term": {"destination.ip":"127.0.0.1"}},
{"term": {"destination.ip":"::"}},
{"term": {"user.name_map.uid":"jenkins"}}
],
"minimum_should_match": 1
}
}
]
}
}
}

27
x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_anomalous_network_service.json
View file

@ -1,27 +0,0 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{"term": {"event.action": "bound-socket"}},
{"term": {"agent.type": "auditbeat"}}
],
"must_not": [
{
"bool": {
"should": [
{"term": {"process.name": "dnsmasq"}},
{"term": {"process.name": "docker-proxy"}},
{"term": {"process.name": "rpcinfo"}}
],
"minimum_should_match": 1
}
}
]
}
}
}

28
x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_anomalous_network_url_activity_ecs.json
View file

@ -1,28 +0,0 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool":{
"filter": [
{"exists": {"field": "destination.ip"}},
{"terms": {"process.name": ["curl", "wget"]}},
{"term": {"agent.type": "auditbeat"}}
],
"must_not":[
{
"bool":{
"should":[
{"term":{"destination.ip": "::1"}},
{"term":{"destination.ip": "127.0.0.1"}},
{"term":{"destination.ip":"169.254.169.254"}}
],
"minimum_should_match": 1
}
}
]
}
}
}

28
x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_anomalous_process_all_hosts_ecs.json
View file

@ -1,28 +0,0 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{"terms": {"event.action": ["process_started", "executed"]}},
{"term": {"agent.type": "auditbeat"}}
],
"must_not": [
{
"bool": {
"should": [
{"term": {"user.name": "jenkins-worker"}},
{"term": {"user.name": "jenkins-user"}},
{"term": {"user.name": "jenkins"}},
{"wildcard": {"process.name": {"wildcard": "jenkins*"}}}
],
"minimum_should_match": 1
}
}
]
}
}
}

15
x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_anomalous_user_name_ecs.json
View file

@ -1,15 +0,0 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{"terms": {"event.action": ["process_started", "executed"]}},
{"term": {"agent.type":"auditbeat"}}
]
}
}
}

26
x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_network_configuration_discovery.json
View file

@ -1,26 +0,0 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"must": [
{
"bool": {
"should": [
{"term": {"process.name": "arp"}},
{"term": {"process.name": "echo"}},
{"term": {"process.name": "ethtool"}},
{"term": {"process.name": "ifconfig"}},
{"term": {"process.name": "ip"}},
{"term": {"process.name": "iptables"}},
{"term": {"process.name": "ufw"}}
]
}
}
]
}
}
}

23
x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_network_connection_discovery.json
View file

@ -1,23 +0,0 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"must": [
{
"bool": {
"should": [
{"term": {"process.name": "netstat"}},
{"term": {"process.name": "ss"}},
{"term": {"process.name": "route"}},
{"term": {"process.name": "showmount"}}
]
}
}
]
}
}
}

22
x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_rare_kernel_module_arguments.json
View file

@ -1,22 +0,0 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [{"exists": {"field": "process.title"}}],
"must": [
{"bool": {
"should": [
{"term": {"process.name": "insmod"}},
{"term": {"process.name": "kmod"}},
{"term": {"process.name": "modprobe"}},
{"term": {"process.name": "rmod"}}
]
}}
]
}
}
}

12
x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_rare_metadata_process.json
View file

@ -1,12 +0,0 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [{"term": {"destination.ip": "169.254.169.254"}}]
}
}
}

12
x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_rare_metadata_user.json
View file

@ -1,12 +0,0 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [{"term": {"destination.ip": "169.254.169.254"}}]
}
}
}

15
x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_rare_sudo_user.json
View file

@ -1,15 +0,0 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{"term": {"event.action": "executed"}},
{"term": {"process.name": "sudo"}}
]
}
}
}

22
x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_rare_user_compiler.json
View file

@ -1,22 +0,0 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [{"term": {"event.action": "executed"}}],
"must": [
{"bool": {
"should": [
{"term": {"process.name": "compile"}},
{"term": {"process.name": "gcc"}},
{"term": {"process.name": "make"}},
{"term": {"process.name": "yasm"}}
]
}}
]
}
}
}

Some files were not shown because too many files have changed in this diff Show more