maxmustermann/kibana
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

[ML] Adds security_linux and security_windows Modules (#85065)

Browse source 
* initial commit

refactored multi-index, multi-pipeline jobs for 7.11. These are new modules that will live alongside the existing jobs.

* Update ml_modules.tsx

added new module names to the list

* Update get_module.ts

added new module names

* Linter fixes

* Order matters

* manifest fixes

added colon char to the module name and shortened the description

* additon to description

after talking with the security team today, adding this suggested text to the beginning of the description so it will tend to be visible to the user:
"This is a new refactored job which works on ECS compatible events across multiple indices."

* Adjust module recognizer test for auditbeat dataset

* influencers

changes to the metadata jobs to make influencers identical to the originals

* change for security app

changes to two datafeeds needed for logic in the Security app - added the suffix "_ecs" to two ids.

Co-authored-by: Garrett Spong <spong@users.noreply.github.com>
Co-authored-by: Robert Oskamp <robert.oskamp@elastic.co>
This commit is contained in:
Craig Chamberlain 2020-12-10 14:02:41 -05:00 committed by GitHub
parent 1c36ab9236
commit 313d85e985
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
35 changed files with 1730 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/logo.json Normal file
View file

@ -0,0 +1,3 @@
{
"icon": "logoSecurity"
}

104
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/manifest.json Normal file
View file

@ -0,0 +1,104 @@
{
"id": "security_linux",
"title": "Security: Linux",
"description": "Detect suspicious activity using ECS Linux events. Tested with Auditbeat and the Elastic agent.",
"type": "linux data",
"logoFile": "logo.json",
"defaultIndexPattern": "auditbeat-*,logs-endpoint.events.*",
"query": {
"bool": {
"should": [
{
"match": {
"host.os.type": {
"query": "linux",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "debian",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "redhat",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "suse",
"operator": "OR"
}
}
}
]
}
},
"jobs": [
{
"id": "v2_rare_process_by_host_linux_ecs",
"file": "v2_rare_process_by_host_linux_ecs.json"
},
{
"id": "v2_linux_rare_metadata_user",
"file": "v2_linux_rare_metadata_user.json"
},
{
"id": "v2_linux_rare_metadata_process",
"file": "v2_linux_rare_metadata_process.json"
},
{
"id": "v2_linux_anomalous_user_name_ecs",
"file": "v2_linux_anomalous_user_name_ecs.json"
},
{
"id": "v2_linux_anomalous_process_all_hosts_ecs",
"file": "v2_linux_anomalous_process_all_hosts_ecs.json"
},
{
"id": "v2_linux_anomalous_network_port_activity_ecs",
"file": "v2_linux_anomalous_network_port_activity_ecs.json"
}
],
"datafeeds": [
{
"id": "datafeed-v2_rare_process_by_host_linux_ecs",
"file": "datafeed_v2_rare_process_by_host_linux_ecs.json",
"job_id": "v2_rare_process_by_host_linux_ecs"
},
{
"id": "datafeed-v2_linux_rare_metadata_user",
"file": "datafeed_v2_linux_rare_metadata_user.json",
"job_id": "v2_linux_rare_metadata_user"
},
{
"id": "datafeed-v2_linux_rare_metadata_process",
"file": "datafeed_v2_linux_rare_metadata_process.json",
"job_id": "v2_linux_rare_metadata_process"
},
{
"id": "datafeed-v2_linux_anomalous_user_name_ecs",
"file": "datafeed_v2_linux_anomalous_user_name_ecs.json",
"job_id": "v2_linux_anomalous_user_name_ecs"
},
{
"id": "datafeed-v2_linux_anomalous_process_all_hosts_ecs",
"file": "datafeed_v2_linux_anomalous_process_all_hosts_ecs.json",
"job_id": "v2_linux_anomalous_process_all_hosts_ecs"
},
{
"id": "datafeed-v2_linux_anomalous_network_port_activity_ecs",
"file": "datafeed_v2_linux_anomalous_network_port_activity_ecs.json",
"job_id": "v2_linux_anomalous_network_port_activity_ecs"
}
]
}

76
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v2_linux_anomalous_network_port_activity_ecs.json Normal file
View file

@ -0,0 +1,76 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool":
{
"filter": [
{"term": {"event.category": "network"}},
{"term": {"event.type": "start"}}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.type": {
"query": "linux",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "debian",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "redhat",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "suse",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "ubuntu",
"operator": "OR"
}
}
}
]
}
}
],
"must_not": [
{
"bool": {
"should": [
{"term": {"destination.ip": "127.0.0.1"}},
{"term": {"destination.ip": "::"}},
{"term": {"destination.ip": "::1"}},
{"term": {"user.name":"jenkins"}}
]
}
}
]
}
}
}

101
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v2_linux_anomalous_process_all_hosts_ecs.json Normal file
View file

@ -0,0 +1,101 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.category": "process"
}
},
{
"term": {
"event.type": "start"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.type": {
"query": "linux",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "debian",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "redhat",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "suse",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "ubuntu",
"operator": "OR"
}
}
}
]
}
}
],
"must_not": [
{
"bool": {
"should": [
{
"term": {
"user.name": "jenkins-worker"
}
},
{
"term": {
"user.name": "jenkins-user"
}
},
{
"term": {
"user.name": "jenkins"
}
},
{
"wildcard": {
"process.name": {
"wildcard": "jenkins*"
}
}
}
]
}
}
]
}
}
}

71
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v2_linux_anomalous_user_name_ecs.json Normal file
View file

@ -0,0 +1,71 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.category": "process"
}
},
{
"term": {
"event.type": "start"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.type": {
"query": "linux",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "debian",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "redhat",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "suse",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "ubuntu",
"operator": "OR"
}
}
}
]
}
}
]
}
}
}

66
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v2_linux_rare_metadata_process.json Normal file
View file

@ -0,0 +1,66 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"destination.ip": "169.254.169.254"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.type": {
"query": "linux",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "debian",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "redhat",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "suse",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "ubuntu",
"operator": "OR"
}
}
}
]
}
}
]
}
}
}

66
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v2_linux_rare_metadata_user.json Normal file
View file

@ -0,0 +1,66 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"destination.ip": "169.254.169.254"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.type": {
"query": "linux",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "debian",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "redhat",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "suse",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "ubuntu",
"operator": "OR"
}
}
}
]
}
}
]
}
}
}

71
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v2_rare_process_by_host_linux_ecs.json Normal file
View file

@ -0,0 +1,71 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.category": "process"
}
},
{
"term": {
"event.type": "start"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.type": {
"query": "linux",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "debian",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "redhat",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "suse",
"operator": "OR"
}
}
},
{
"match": {
"host.os.family": {
"query": "ubuntu",
"operator": "OR"
}
}
}
]
}
}
]
}
}
}

55
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/v2_linux_anomalous_network_port_activity_ecs.json Normal file
View file

@ -0,0 +1,55 @@
{
"job_type": "anomaly_detector",
"description": "This is a new refactored job which works on ECS compatible events across multiple indices. Security: Linux - Looks for unusual destination port activity that could indicate command-and-control, persistence mechanism, or data exfiltration activity.",
"groups": [
"security",
"auditbeat",
"endpoint",
"linux",
"network"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"destination.port\"",
"function": "rare",
"by_field_name": "destination.port"
}
],
"influencers": [
"host.name",
"process.name",
"user.name",
"destination.ip"
]
},
"allow_lazy_open": true,
"analysis_limits": {
"model_memory_limit": "32mb"
},
"data_description": {
"time_field": "@timestamp"
},
"custom_settings": {
"created_by": "ml-module-security-linux",
"custom_urls": [
{
"url_name": "Host Details by process name",
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Host Details by user name",
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by process name",
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by user name",
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
}
]
}
}

54
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/v2_linux_anomalous_process_all_hosts_ecs.json Normal file
View file

@ -0,0 +1,54 @@
{
"job_type": "anomaly_detector",
"description": "This is a new refactored job which works on ECS compatible events across multiple indices. Security: Linux - Looks for processes that are unusual to all Linux hosts. Such unusual processes may indicate unauthorized services, malware, or persistence mechanisms.",
"groups": [
"security",
"auditbeat",
"endpoint",
"linux",
"process"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"process.name\"",
"function": "rare",
"by_field_name": "process.name"
}
],
"influencers": [
"host.name",
"process.name",
"user.name"
]
},
"allow_lazy_open": true,
"analysis_limits": {
"model_memory_limit": "512mb"
},
"data_description": {
"time_field": "@timestamp"
},
"custom_settings": {
"created_by": "ml-module-security-linux",
"custom_urls": [
{
"url_name": "Host Details by process name",
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Host Details by user name",
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by process name",
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by user name",
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
}
]
}
}

54
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/v2_linux_anomalous_user_name_ecs.json Normal file
View file

@ -0,0 +1,54 @@
{
"job_type": "anomaly_detector",
"groups": [
"security",
"auditbeat",
"endpoint",
"linux",
"process"
],
"description": "This is a new refactored job which works on ECS compatible events across multiple indices. Security: Linux - Rare and unusual users that are not normally active may indicate unauthorized changes or activity by an unauthorized user which may be credentialed access or lateral movement.",
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"user.name\"",
"function": "rare",
"by_field_name": "user.name"
}
],
"influencers": [
"host.name",
"process.name",
"user.name"
]
},
"allow_lazy_open": true,
"analysis_limits": {
"model_memory_limit": "32mb"
},
"data_description": {
"time_field": "@timestamp"
},
"custom_settings": {
"created_by": "ml-module-security-linux",
"custom_urls": [
{
"url_name": "Host Details by process name",
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Host Details by user name",
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by process name",
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by user name",
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
}
]
}
}

36
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/v2_linux_rare_metadata_process.json Normal file
View file

@ -0,0 +1,36 @@
{
"job_type": "anomaly_detector",
"description": "This is a new refactored job which works on ECS compatible events across multiple indices. Security: Linux - Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
"groups": [
"security",
"auditbeat",
"endpoint",
"linux",
"process"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"process.name\"",
"function": "rare",
"by_field_name": "process.name"
}
],
"influencers": [
"host.name",
"user.name",
"process.name"
]
},
"allow_lazy_open": true,
"analysis_limits": {
"model_memory_limit": "32mb"
},
"data_description": {
"time_field": "@timestamp"
},
"custom_settings": {
"created_by": "ml-module-security-linux"
}
}

35
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/v2_linux_rare_metadata_user.json Normal file
View file

@ -0,0 +1,35 @@
{
"job_type": "anomaly_detector",
"description": "This is a new refactored job which works on ECS compatible events across multiple indices. Security: Linux - Looks for anomalous access to the metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
"groups": [
"security",
"auditbeat",
"endpoint",
"linux",
"process"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"user.name\"",
"function": "rare",
"by_field_name": "user.name"
}
],
"influencers": [
"host.name",
"user.name"
]
},
"allow_lazy_open": true,
"analysis_limits": {
"model_memory_limit": "32mb"
},
"data_description": {
"time_field": "@timestamp"
},
"custom_settings": {
"created_by": "ml-module-security-linux"
}
}

55
x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/v2_rare_process_by_host_linux_ecs.json Normal file
View file

@ -0,0 +1,55 @@
{
"job_type": "anomaly_detector",
"description": "This is a new refactored job which works on ECS compatible events across multiple indices. Security: Linux - Looks for processes that are unusual to a particular Linux host. Such unusual processes may indicate unauthorized services, malware, or persistence mechanisms.",
"groups": [
"security",
"auditbeat",
"endpoint",
"linux",
"process"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare process executions on Linux",
"function": "rare",
"by_field_name": "process.name",
"partition_field_name": "host.name"
}
],
"influencers": [
"host.name",
"process.name",
"user.name"
]
},
"allow_lazy_open": true,
"analysis_limits": {
"model_memory_limit": "256mb"
},
"data_description": {
"time_field": "@timestamp"
},
"custom_settings": {
"created_by": "ml-module-security-linux",
"custom_urls": [
{
"url_name": "Host Details by process name",
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Host Details by user name",
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by process name",
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by user name",
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
}
]
}
}

3
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/logo.json Normal file
View file

@ -0,0 +1,3 @@
{
"icon": "logoSecurity"
}

112
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/manifest.json Normal file
View file

@ -0,0 +1,112 @@
{
"id": "security_windows",
"title": "Security: Windows",
"description": "Detects suspicious activity using ECS Windows events. Tested with Winlogbeat and the Elastic agent.",
"type": "windows data",
"logoFile": "logo.json",
"defaultIndexPattern": "winlogbeat-*,logs-endpoint.events.*",
"query": {
"bool": {
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.family": {
"query": "windows",
"operator": "OR"
}
}
},
{
"match": {
"host.os.type": {
"query": "windows",
"operator": "OR"
}
}
}
]
}
}
]
}
},
"jobs": [
{
"id": "v2_rare_process_by_host_windows_ecs",
"file": "v2_rare_process_by_host_windows_ecs.json"
},
{
"id": "v2_windows_anomalous_network_activity_ecs",
"file": "v2_windows_anomalous_network_activity_ecs.json"
},
{
"id": "v2_windows_anomalous_path_activity_ecs",
"file": "v2_windows_anomalous_path_activity_ecs.json"
},
{
"id": "v2_windows_anomalous_process_all_hosts_ecs",
"file": "v2_windows_anomalous_process_all_hosts_ecs.json"
},
{
"id": "v2_windows_anomalous_process_creation",
"file": "v2_windows_anomalous_process_creation.json"
},
{
"id": "v2_windows_anomalous_user_name_ecs",
"file": "v2_windows_anomalous_user_name_ecs.json"
},
{
"id": "v2_windows_rare_metadata_process",
"file": "v2_windows_rare_metadata_process.json"
},
{
"id": "v2_windows_rare_metadata_user",
"file": "v2_windows_rare_metadata_user.json"
}
],
"datafeeds": [
{
"id": "datafeed-v2_rare_process_by_host_windows_ecs",
"file": "datafeed_v2_rare_process_by_host_windows_ecs.json",
"job_id": "v2_rare_process_by_host_windows_ecs"
},
{
"id": "datafeed-v2_windows_anomalous_network_activity_ecs",
"file": "datafeed_v2_windows_anomalous_network_activity_ecs.json",
"job_id": "v2_windows_anomalous_network_activity_ecs"
},
{
"id": "datafeed-v2_windows_anomalous_path_activity_ecs",
"file": "datafeed_v2_windows_anomalous_path_activity_ecs.json",
"job_id": "v2_windows_anomalous_path_activity_ecs"
},
{
"id": "datafeed-v2_windows_anomalous_process_all_hosts_ecs",
"file": "datafeed_v2_windows_anomalous_process_all_hosts_ecs.json",
"job_id": "v2_windows_anomalous_process_all_hosts_ecs"
},
{
"id": "datafeed-v2_windows_anomalous_process_creation",
"file": "datafeed_v2_windows_anomalous_process_creation.json",
"job_id": "v2_windows_anomalous_process_creation"
},
{
"id": "datafeed-v2_windows_anomalous_user_name_ecs",
"file": "datafeed_v2_windows_anomalous_user_name_ecs.json",
"job_id": "v2_windows_anomalous_user_name_ecs"
},
{
"id": "datafeed-v2_windows_rare_metadata_process",
"file": "datafeed_v2_windows_rare_metadata_process.json",
"job_id": "v2_windows_rare_metadata_process"
},
{
"id": "datafeed-v2_windows_rare_metadata_user",
"file": "datafeed_v2_windows_rare_metadata_user.json",
"job_id": "v2_windows_rare_metadata_user"
}
]
}

47
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v2_rare_process_by_host_windows_ecs.json Normal file
View file

@ -0,0 +1,47 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.category": "process"
}
},
{
"term": {
"event.type": "start"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.family": {
"query": "windows",
"operator": "OR"
}
}
},
{
"match": {
"host.os.type": {
"query": "windows",
"operator": "OR"
}
}
}
]
}
}
]
}
}
}

71
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v2_windows_anomalous_network_activity_ecs.json Normal file
View file

@ -0,0 +1,71 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.category": "network"
}
},
{
"term": {
"event.type": "start"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.family": {
"query": "windows",
"operator": "OR"
}
}
},
{
"match": {
"host.os.type": {
"query": "windows",
"operator": "OR"
}
}
}
]
}
}
],
"must_not": [
{
"bool": {
"should": [
{
"term": {
"destination.ip": "127.0.0.1"
}
},
{
"term": {
"destination.ip": "127.0.0.53"
}
},
{
"term": {
"destination.ip": "::1"
}
}
],
"minimum_should_match": 1
}
}
]
}
}
}

47
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v2_windows_anomalous_path_activity_ecs.json Normal file
View file

@ -0,0 +1,47 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.category": "process"
}
},
{
"term": {
"event.type": "start"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.family": {
"query": "windows",
"operator": "OR"
}
}
},
{
"match": {
"host.os.type": {
"query": "windows",
"operator": "OR"
}
}
}
]
}
}
]
}
}
}

47
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v2_windows_anomalous_process_all_hosts_ecs.json Normal file
View file

@ -0,0 +1,47 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.category": "process"
}
},
{
"term": {
"event.type": "start"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.family": {
"query": "windows",
"operator": "OR"
}
}
},
{
"match": {
"host.os.type": {
"query": "windows",
"operator": "OR"
}
}
}
]
}
}
]
}
}
}

47
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v2_windows_anomalous_process_creation.json Normal file
View file

@ -0,0 +1,47 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.category": "process"
}
},
{
"term": {
"event.type": "start"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.family": {
"query": "windows",
"operator": "OR"
}
}
},
{
"match": {
"host.os.type": {
"query": "windows",
"operator": "OR"
}
}
}
]
}
}
]
}
}
}

47
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v2_windows_anomalous_user_name_ecs.json Normal file
View file

@ -0,0 +1,47 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"event.category": "process"
}
},
{
"term": {
"event.type": "start"
}
}
],
"must": [
{
"bool": {
"should": [
{
"match": {
"host.os.family": {
"query": "windows",
"operator": "OR"
}
}
},
{
"match": {
"host.os.type": {
"query": "windows",
"operator": "OR"
}
}
}
]
}
}
]
}
}
}

23
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v2_windows_rare_metadata_process.json Normal file
View file

@ -0,0 +1,23 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"host.os.family": "windows"
}
},
{
"term": {
"destination.ip": "169.254.169.254"
}
}
]
}
}
}

23
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v2_windows_rare_metadata_user.json Normal file
View file

@ -0,0 +1,23 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"term": {
"host.os.family": "windows"
}
},
{
"term": {
"destination.ip": "169.254.169.254"
}
}
]
}
}
}

57
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/v2_rare_process_by_host_windows_ecs.json Normal file
View file

@ -0,0 +1,57 @@
{
"job_type": "anomaly_detector",
"description": "This is a new refactored job which works on ECS compatible events across multiple indices. Security: Windows - Detects unusually rare processes on Windows hosts.",
"groups": [
"security",
"endpoint",
"event-log",
"sysmon",
"windows",
"winlogbeat",
"process"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare process executions on Windows",
"function": "rare",
"by_field_name": "process.name",
"partition_field_name": "host.name"
}
],
"influencers": [
"host.name",
"process.name",
"user.name"
]
},
"allow_lazy_open": true,
"analysis_limits": {
"model_memory_limit": "256mb"
},
"data_description": {
"time_field": "@timestamp"
},
"custom_settings": {
"created_by": "ml-module-security-windows",
"custom_urls": [
{
"url_name": "Host Details by process name",
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Host Details by user name",
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by process name",
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by user name",
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
}
]
}
}

56
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/v2_windows_anomalous_network_activity_ecs.json Normal file
View file

@ -0,0 +1,56 @@
{
"job_type": "anomaly_detector",
"description": "This is a new refactored job which works on ECS compatible events across multiple indices. Security: Windows - Looks for unusual processes using the network which could indicate command-and-control, lateral movement, persistence, or data exfiltration activity.",
"groups": [
"security",
"endpoint",
"sysmon",
"windows",
"winlogbeat",
"network"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"process.name\"",
"function": "rare",
"by_field_name": "process.name"
}
],
"influencers": [
"host.name",
"process.name",
"user.name",
"destination.ip"
]
},
"allow_lazy_open": true,
"analysis_limits": {
"model_memory_limit": "64mb"
},
"data_description": {
"time_field": "@timestamp"
},
"custom_settings": {
"created_by": "ml-module-security-windows",
"custom_urls": [
{
"url_name": "Host Details by process name",
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Host Details by user name",
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by process name",
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by user name",
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
}
]
}
}

54
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/v2_windows_anomalous_path_activity_ecs.json Normal file
View file

@ -0,0 +1,54 @@
{
"job_type": "anomaly_detector",
"groups": [
"security",
"sysmon",
"windows",
"winlogbeat",
"process"
],
"description": "This is a new refactored job which works on ECS compatible events across multiple indices. Security: Windows - Looks for activity in unusual paths that may indicate execution of malware or persistence mechanisms. Windows payloads often execute from user profile paths.",
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"process.working_directory\"",
"function": "rare",
"by_field_name": "process.working_directory"
}
],
"influencers": [
"host.name",
"process.name",
"user.name"
]
},
"allow_lazy_open": true,
"analysis_limits": {
"model_memory_limit": "256mb"
},
"data_description": {
"time_field": "@timestamp"
},
"custom_settings": {
"created_by": "ml-module-security-windows",
"custom_urls": [
{
"url_name": "Host Details by process name",
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Host Details by user name",
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by process name",
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by user name",
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
}
]
}
}

56
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/v2_windows_anomalous_process_all_hosts_ecs.json Normal file
View file

@ -0,0 +1,56 @@
{
"job_type": "anomaly_detector",
"description": "This is a new refactored job which works on ECS compatible events across multiple indices. Security: Windows - Looks for processes that are unusual to all Windows hosts. Such unusual processes may indicate execution of unauthorized services, malware, or persistence mechanisms.",
"groups": [
"security",
"endpoint",
"event-log",
"sysmon",
"windows",
"winlogbeat",
"process"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"process.executable\"",
"function": "rare",
"by_field_name": "process.executable"
}
],
"influencers": [
"host.name",
"process.name",
"user.name"
]
},
"allow_lazy_open": true,
"analysis_limits": {
"model_memory_limit": "256mb"
},
"data_description": {
"time_field": "@timestamp"
},
"custom_settings": {
"created_by": "ml-module-security-windows",
"custom_urls": [
{
"url_name": "Host Details by process name",
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Host Details by user name",
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by process name",
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by user name",
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
}
]
}
}

57
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/v2_windows_anomalous_process_creation.json Normal file
View file

@ -0,0 +1,57 @@
{
"job_type": "anomaly_detector",
"groups": [
"security",
"endpoint",
"event-log",
"sysmon",
"windows",
"winlogbeat",
"process"
],
"description": "This is a new refactored job which works on ECS compatible events across multiple indices. Security: Windows - Looks for unusual process relationships which may indicate execution of malware or persistence mechanisms.",
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "Unusual process creation activity",
"function": "rare",
"by_field_name": "process.name",
"partition_field_name": "process.parent.name"
}
],
"influencers": [
"host.name",
"process.name",
"user.name"
]
},
"allow_lazy_open": true,
"analysis_limits": {
"model_memory_limit": "256mb"
},
"data_description": {
"time_field": "@timestamp"
},
"custom_settings": {
"created_by": "ml-module-security-windows",
"custom_urls": [
{
"url_name": "Host Details by process name",
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Host Details by user name",
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by process name",
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by user name",
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
}
]
}
}

56
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/v2_windows_anomalous_user_name_ecs.json Normal file
View file

@ -0,0 +1,56 @@
{
"job_type": "anomaly_detector",
"description": "This is a new refactored job which works on ECS compatible events across multiple indices. Security: Windows - Rare and unusual users that are not normally active may indicate unauthorized changes or activity by an unauthorized user which may be credentialed access or lateral movement.",
"groups": [
"security",
"endpoint",
"event-log",
"sysmon",
"windows",
"winlogbeat",
"process"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"user.name\"",
"function": "rare",
"by_field_name": "user.name"
}
],
"influencers": [
"host.name",
"process.name",
"user.name"
]
},
"allow_lazy_open": true,
"analysis_limits": {
"model_memory_limit": "256mb"
},
"data_description": {
"time_field": "@timestamp"
},
"custom_settings": {
"created_by": "ml-module-security-windows",
"custom_urls": [
{
"url_name": "Host Details by process name",
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Host Details by user name",
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by process name",
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
},
{
"url_name": "Hosts Overview by user name",
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
}
]
}
}

38
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/v2_windows_rare_metadata_process.json Normal file
View file

@ -0,0 +1,38 @@
{
"job_type": "anomaly_detector",
"description": "This is a new refactored job which works on ECS compatible events across multiple indices. Security: Windows - Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
"groups": [
"security",
"endpoint",
"event-log",
"process",
"sysmon",
"windows",
"winlogbeat"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"process.name\"",
"function": "rare",
"by_field_name": "process.name"
}
],
"influencers": [
"process.name",
"host.name",
"user.name"
]
},
"allow_lazy_open": true,
"analysis_limits": {
"model_memory_limit": "32mb"
},
"data_description": {
"time_field": "@timestamp"
},
"custom_settings": {
"created_by": "ml-module-security-windows"
}
}

37
x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows/ml/v2_windows_rare_metadata_user.json Normal file
View file

@ -0,0 +1,37 @@
{
"job_type": "anomaly_detector",
"description": "This is a new refactored job which works on ECS compatible events across multiple indices. Security: Windows - Looks for anomalous access to the metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
"groups": [
"security",
"endpoint",
"event-log",
"process",
"sysmon",
"windows",
"winlogbeat"
],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "rare by \"user.name\"",
"function": "rare",
"by_field_name": "user.name"
}
],
"influencers": [
"host.name",
"user.name"
]
},
"allow_lazy_open": true,
"analysis_limits": {
"model_memory_limit": "32mb"
},
"data_description": {
"time_field": "@timestamp"
},
"custom_settings": {
"created_by": "ml-module-security-windows"
}
}

2
x-pack/plugins/security_solution/public/common/components/ml_popover/ml_modules.tsx
View file

@ -16,4 +16,6 @@ export const mlModules: string[] = [
'siem_packetbeat',
'siem_winlogbeat',
'siem_winlogbeat_auth',
'security_linux',
'security_windows',
];

2
x-pack/test/api_integration/apis/ml/modules/get_module.ts
View file

@ -25,6 +25,8 @@ const moduleIds = [
'nginx_ecs',
'sample_data_ecommerce',
'sample_data_weblogs',
'security_linux',
'security_windows',
'siem_auditbeat',
'siem_auditbeat_auth',
'siem_cloudtrail',

2
x-pack/test/api_integration/apis/ml/modules/recognize_module.ts
View file

@ -132,7 +132,7 @@ export default ({ getService }: FtrProviderContext) => {
user: USER.ML_POWERUSER,
expected: {
responseCode: 200,
moduleIds: ['auditbeat_process_hosts_ecs', 'siem_auditbeat'],
moduleIds: ['auditbeat_process_hosts_ecs', 'security_linux', 'siem_auditbeat'],
},
},
];