[ML] Edits labelling of SIEM module and jobs from SIEM to Security (#71696)
## Summary Edits all references to 'SIEM' in the ML SIEM modules to 'Security'. The following parts of the configurations were edited: - Module titles - Module descriptions - Job descriptions - `siem` job group changed to `security` The `siem#/` portion of the custom URLs was also edited to `security/`. Also removes the 'beta' label from module and job descriptions.   Part of #69319
This commit is contained in:
Pete Harverson
GitHub
parent
a0f7dced13
commit
e010ed3d09
|
|
@ -1,7 +1,7 @@
|
|||
{
|
||||
"id": "siem_auditbeat",
|
||||
"title": "SIEM Auditbeat",
|
||||
"description": "Detect suspicious network activity and unusual processes in Auditbeat data (beta).",
|
||||
"title": "Security: Auditbeat",
|
||||
"description": "Detect suspicious network activity and unusual processes in Auditbeat data.",
|
||||
"type": "Auditbeat data",
|
||||
"logoFile": "logo.json",
|
||||
"defaultIndexPattern": "auditbeat-*",
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "SIEM Auditbeat: Looks for unusual processes using the network which could indicate command-and-control, lateral movement, persistence, or data exfiltration activity (beta)",
|
||||
"description": "Security: Auditbeat - Looks for unusual processes using the network which could indicate command-and-control, lateral movement, persistence, or data exfiltration activity.",
|
||||
"groups": [
|
||||
"siem",
|
||||
"security",
|
||||
"auditbeat",
|
||||
"process"
|
||||
],
|
||||
|
|
@ -34,19 +34,19 @@
|
|||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by process name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "SIEM Auditbeat: Looks for unusual destination port activity that could indicate command-and-control, persistence mechanism, or data exfiltration activity (beta)",
|
||||
"description": "Security: Auditbeat - Looks for unusual destination port activity that could indicate command-and-control, persistence mechanism, or data exfiltration activity.",
|
||||
"groups": [
|
||||
"siem",
|
||||
"security",
|
||||
"auditbeat",
|
||||
"network"
|
||||
],
|
||||
|
|
@ -34,19 +34,19 @@
|
|||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by process name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,11 +1,11 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"groups": [
|
||||
"siem",
|
||||
"security",
|
||||
"auditbeat",
|
||||
"network"
|
||||
],
|
||||
"description": "SIEM Auditbeat: Looks for unusual listening ports that could indicate execution of unauthorized services, backdoors, or persistence mechanisms (beta)",
|
||||
"description": "Security: Auditbeat - Looks for unusual listening ports that could indicate execution of unauthorized services, backdoors, or persistence mechanisms.",
|
||||
"analysis_config": {
|
||||
"bucket_span": "15m",
|
||||
"detectors": [
|
||||
|
|
@ -33,20 +33,20 @@
|
|||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by process name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,40 +1,40 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"groups": [
|
||||
"siem",
|
||||
"auditbeat",
|
||||
"network"
|
||||
"job_type": "anomaly_detector",
|
||||
"groups": [
|
||||
"security",
|
||||
"auditbeat",
|
||||
"network"
|
||||
],
|
||||
"description": "Security: Auditbeat - Looks for an unusual web URL request from a Linux instance. Curl and wget web request activity is very common but unusual web requests from a Linux server can sometimes be malware delivery or execution.",
|
||||
"analysis_config": {
|
||||
"bucket_span": "15m",
|
||||
"detectors": [
|
||||
{
|
||||
"detector_description": "rare by \"process.title\"",
|
||||
"function": "rare",
|
||||
"by_field_name": "process.title"
|
||||
}
|
||||
],
|
||||
"description": "SIEM Auditbeat: Looks for an unusual web URL request from a Linux instance. Curl and wget web request activity is very common but unusual web requests from a Linux server can sometimes be malware delivery or execution (beta)",
|
||||
"analysis_config": {
|
||||
"bucket_span": "15m",
|
||||
"detectors": [
|
||||
{
|
||||
"detector_description": "rare by \"process.title\"",
|
||||
"function": "rare",
|
||||
"by_field_name": "process.title"
|
||||
}
|
||||
],
|
||||
"influencers": [
|
||||
"host.name",
|
||||
"destination.ip",
|
||||
"destination.port"
|
||||
]
|
||||
},
|
||||
"allow_lazy_open": true,
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "32mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-siem-auditbeat",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
"influencers": [
|
||||
"host.name",
|
||||
"destination.ip",
|
||||
"destination.port"
|
||||
]
|
||||
},
|
||||
"allow_lazy_open": true,
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "32mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-siem-auditbeat",
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details",
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "SIEM Auditbeat: Looks for processes that are unusual to all Linux hosts. Such unusual processes may indicate unauthorized services, malware, or persistence mechanisms (beta)",
|
||||
"description": "Security: Auditbeat - Looks for processes that are unusual to all Linux hosts. Such unusual processes may indicate unauthorized services, malware, or persistence mechanisms.",
|
||||
"groups": [
|
||||
"siem",
|
||||
"security",
|
||||
"auditbeat",
|
||||
"process"
|
||||
],
|
||||
|
|
@ -33,20 +33,20 @@
|
|||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by process name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,11 +1,11 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"groups": [
|
||||
"siem",
|
||||
"security",
|
||||
"auditbeat",
|
||||
"process"
|
||||
],
|
||||
"description": "SIEM Auditbeat: Rare and unusual users that are not normally active may indicate unauthorized changes or activity by an unauthorized user which may be credentialed access or lateral movement (beta)",
|
||||
"description": "Security: Auditbeat - Rare and unusual users that are not normally active may indicate unauthorized changes or activity by an unauthorized user which may be credentialed access or lateral movement.",
|
||||
"analysis_config": {
|
||||
"bucket_span": "15m",
|
||||
"detectors": [
|
||||
|
|
@ -33,19 +33,19 @@
|
|||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by process name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "SIEM Auditbeat: Detect unusually rare processes on Linux (beta)",
|
||||
"description": "Security: Auditbeat - Detect unusually rare processes on Linux",
|
||||
"groups": [
|
||||
"siem",
|
||||
"security",
|
||||
"auditbeat",
|
||||
"process"
|
||||
],
|
||||
|
|
@ -34,20 +34,20 @@
|
|||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by process name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
{
|
||||
"id": "siem_auditbeat_auth",
|
||||
"title": "SIEM Auditbeat Authentication",
|
||||
"description": "Detect suspicious authentication events in Auditbeat data (beta).",
|
||||
"title": "Security: Auditbeat Authentication",
|
||||
"description": "Detect suspicious authentication events in Auditbeat data.",
|
||||
"type": "Auditbeat data",
|
||||
"logoFile": "logo.json",
|
||||
"defaultIndexPattern": "auditbeat-*",
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "SIEM Auditbeat: Detect unusually high number of authentication attempts (beta)",
|
||||
"description": "Security: Auditbeat - Detect unusually high number of authentication attempts.",
|
||||
"groups": [
|
||||
"siem",
|
||||
"security",
|
||||
"auditbeat",
|
||||
"authentication"
|
||||
],
|
||||
|
|
@ -33,8 +33,8 @@
|
|||
"custom_urls": [
|
||||
{
|
||||
"url_name": "IP Address Details",
|
||||
"url_value": "siem#/ml-network/ip/$source.ip$?_g=()&query=!n&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/network/ml-network/ip/$source.ip$?_g=()&query=!n&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,64 +1,64 @@
|
|||
{
|
||||
"id": "siem_cloudtrail",
|
||||
"title": "SIEM Cloudtrail",
|
||||
"description": "Detect suspicious activity recorded in your cloudtrail logs.",
|
||||
"type": "Filebeat data",
|
||||
"logoFile": "logo.json",
|
||||
"defaultIndexPattern": "filebeat-*",
|
||||
"query": {
|
||||
"bool": {
|
||||
"filter": [
|
||||
{"term": {"event.dataset": "aws.cloudtrail"}}
|
||||
]
|
||||
}
|
||||
"id": "siem_cloudtrail",
|
||||
"title": "Security: Cloudtrail",
|
||||
"description": "Detect suspicious activity recorded in your cloudtrail logs.",
|
||||
"type": "Filebeat data",
|
||||
"logoFile": "logo.json",
|
||||
"defaultIndexPattern": "filebeat-*",
|
||||
"query": {
|
||||
"bool": {
|
||||
"filter": [
|
||||
{"term": {"event.dataset": "aws.cloudtrail"}}
|
||||
]
|
||||
}
|
||||
},
|
||||
"jobs": [
|
||||
{
|
||||
"id": "rare_method_for_a_city",
|
||||
"file": "rare_method_for_a_city.json"
|
||||
},
|
||||
"jobs": [
|
||||
{
|
||||
"id": "rare_method_for_a_city",
|
||||
"file": "rare_method_for_a_city.json"
|
||||
},
|
||||
{
|
||||
"id": "rare_method_for_a_country",
|
||||
"file": "rare_method_for_a_country.json"
|
||||
},
|
||||
{
|
||||
"id": "rare_method_for_a_username",
|
||||
"file": "rare_method_for_a_username.json"
|
||||
},
|
||||
{
|
||||
"id": "high_distinct_count_error_message",
|
||||
"file": "high_distinct_count_error_message.json"
|
||||
},
|
||||
{
|
||||
"id": "rare_error_code",
|
||||
"file": "rare_error_code.json"
|
||||
}
|
||||
],
|
||||
"datafeeds": [
|
||||
{
|
||||
"id": "datafeed-rare_method_for_a_city",
|
||||
"file": "datafeed_rare_method_for_a_city.json",
|
||||
"job_id": "rare_method_for_a_city"
|
||||
},
|
||||
{
|
||||
"id": "datafeed-rare_method_for_a_country",
|
||||
"file": "datafeed_rare_method_for_a_country.json",
|
||||
"job_id": "rare_method_for_a_country"
|
||||
},
|
||||
{
|
||||
"id": "datafeed-rare_method_for_a_username",
|
||||
"file": "datafeed_rare_method_for_a_username.json",
|
||||
"job_id": "rare_method_for_a_username"
|
||||
},
|
||||
{
|
||||
"id": "datafeed-high_distinct_count_error_message",
|
||||
"file": "datafeed_high_distinct_count_error_message.json",
|
||||
"job_id": "high_distinct_count_error_message"
|
||||
},
|
||||
{
|
||||
"id": "datafeed-rare_error_code",
|
||||
"file": "datafeed_rare_error_code.json",
|
||||
"job_id": "rare_error_code"
|
||||
}
|
||||
]
|
||||
}
|
||||
{
|
||||
"id": "rare_method_for_a_country",
|
||||
"file": "rare_method_for_a_country.json"
|
||||
},
|
||||
{
|
||||
"id": "rare_method_for_a_username",
|
||||
"file": "rare_method_for_a_username.json"
|
||||
},
|
||||
{
|
||||
"id": "high_distinct_count_error_message",
|
||||
"file": "high_distinct_count_error_message.json"
|
||||
},
|
||||
{
|
||||
"id": "rare_error_code",
|
||||
"file": "rare_error_code.json"
|
||||
}
|
||||
],
|
||||
"datafeeds": [
|
||||
{
|
||||
"id": "datafeed-rare_method_for_a_city",
|
||||
"file": "datafeed_rare_method_for_a_city.json",
|
||||
"job_id": "rare_method_for_a_city"
|
||||
},
|
||||
{
|
||||
"id": "datafeed-rare_method_for_a_country",
|
||||
"file": "datafeed_rare_method_for_a_country.json",
|
||||
"job_id": "rare_method_for_a_country"
|
||||
},
|
||||
{
|
||||
"id": "datafeed-rare_method_for_a_username",
|
||||
"file": "datafeed_rare_method_for_a_username.json",
|
||||
"job_id": "rare_method_for_a_username"
|
||||
},
|
||||
{
|
||||
"id": "datafeed-high_distinct_count_error_message",
|
||||
"file": "datafeed_high_distinct_count_error_message.json",
|
||||
"job_id": "high_distinct_count_error_message"
|
||||
},
|
||||
{
|
||||
"id": "datafeed-rare_error_code",
|
||||
"file": "datafeed_rare_error_code.json",
|
||||
"job_id": "rare_error_code"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,33 +1,33 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "Looks for a spike in the rate of an error message which may simply indicate an impending service failure but these can also be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection activity by a threat actor.",
|
||||
"groups": [
|
||||
"siem",
|
||||
"cloudtrail"
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "Security: Cloudtrail - Looks for a spike in the rate of an error message which may simply indicate an impending service failure but these can also be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection activity by a threat actor.",
|
||||
"groups": [
|
||||
"security",
|
||||
"cloudtrail"
|
||||
],
|
||||
"analysis_config": {
|
||||
"bucket_span": "15m",
|
||||
"detectors": [
|
||||
{
|
||||
"detector_description": "high_distinct_count(\"aws.cloudtrail.error_message\")",
|
||||
"function": "high_distinct_count",
|
||||
"field_name": "aws.cloudtrail.error_message"
|
||||
}
|
||||
],
|
||||
"analysis_config": {
|
||||
"bucket_span": "15m",
|
||||
"detectors": [
|
||||
{
|
||||
"detector_description": "high_distinct_count(\"aws.cloudtrail.error_message\")",
|
||||
"function": "high_distinct_count",
|
||||
"field_name": "aws.cloudtrail.error_message"
|
||||
}
|
||||
],
|
||||
"influencers": [
|
||||
"aws.cloudtrail.user_identity.arn",
|
||||
"source.ip",
|
||||
"source.geo.city_name"
|
||||
]
|
||||
},
|
||||
"allow_lazy_open": true,
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "16mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-siem-cloudtrail"
|
||||
}
|
||||
}
|
||||
"influencers": [
|
||||
"aws.cloudtrail.user_identity.arn",
|
||||
"source.ip",
|
||||
"source.geo.city_name"
|
||||
]
|
||||
},
|
||||
"allow_lazy_open": true,
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "16mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-siem-cloudtrail"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,33 +1,33 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "Looks for unusual errors. Rare and unusual errors may simply indicate an impending service failure but they can also be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection activity by a threat actor.",
|
||||
"groups": [
|
||||
"siem",
|
||||
"cloudtrail"
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "Security: Cloudtrail - Looks for unusual errors. Rare and unusual errors may simply indicate an impending service failure but they can also be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection activity by a threat actor.",
|
||||
"groups": [
|
||||
"security",
|
||||
"cloudtrail"
|
||||
],
|
||||
"analysis_config": {
|
||||
"bucket_span": "60m",
|
||||
"detectors": [
|
||||
{
|
||||
"detector_description": "rare by \"aws.cloudtrail.error_code\"",
|
||||
"function": "rare",
|
||||
"by_field_name": "aws.cloudtrail.error_code"
|
||||
}
|
||||
],
|
||||
"analysis_config": {
|
||||
"bucket_span": "60m",
|
||||
"detectors": [
|
||||
{
|
||||
"detector_description": "rare by \"aws.cloudtrail.error_code\"",
|
||||
"function": "rare",
|
||||
"by_field_name": "aws.cloudtrail.error_code"
|
||||
}
|
||||
],
|
||||
"influencers": [
|
||||
"aws.cloudtrail.user_identity.arn",
|
||||
"source.ip",
|
||||
"source.geo.city_name"
|
||||
]
|
||||
},
|
||||
"allow_lazy_open": true,
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "16mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-siem-cloudtrail"
|
||||
}
|
||||
}
|
||||
"influencers": [
|
||||
"aws.cloudtrail.user_identity.arn",
|
||||
"source.ip",
|
||||
"source.geo.city_name"
|
||||
]
|
||||
},
|
||||
"allow_lazy_open": true,
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "16mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-siem-cloudtrail"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,34 +1,34 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "Looks for AWS API calls that, while not inherently suspicious or abnormal, are sourcing from a geolocation (city) that is unusual. This can be the result of compromised credentials or keys.",
|
||||
"groups": [
|
||||
"siem",
|
||||
"cloudtrail"
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "Security: Cloudtrail - Looks for AWS API calls that, while not inherently suspicious or abnormal, are sourcing from a geolocation (city) that is unusual. This can be the result of compromised credentials or keys.",
|
||||
"groups": [
|
||||
"security",
|
||||
"cloudtrail"
|
||||
],
|
||||
"analysis_config": {
|
||||
"bucket_span": "60m",
|
||||
"detectors": [
|
||||
{
|
||||
"detector_description": "rare by \"event.action\" partition by \"source.geo.city_name\"",
|
||||
"function": "rare",
|
||||
"by_field_name": "event.action",
|
||||
"partition_field_name": "source.geo.city_name"
|
||||
}
|
||||
],
|
||||
"analysis_config": {
|
||||
"bucket_span": "60m",
|
||||
"detectors": [
|
||||
{
|
||||
"detector_description": "rare by \"event.action\" partition by \"source.geo.city_name\"",
|
||||
"function": "rare",
|
||||
"by_field_name": "event.action",
|
||||
"partition_field_name": "source.geo.city_name"
|
||||
}
|
||||
],
|
||||
"influencers": [
|
||||
"aws.cloudtrail.user_identity.arn",
|
||||
"source.ip",
|
||||
"source.geo.city_name"
|
||||
]
|
||||
},
|
||||
"allow_lazy_open": true,
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "64mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-siem-cloudtrail"
|
||||
}
|
||||
}
|
||||
"influencers": [
|
||||
"aws.cloudtrail.user_identity.arn",
|
||||
"source.ip",
|
||||
"source.geo.city_name"
|
||||
]
|
||||
},
|
||||
"allow_lazy_open": true,
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "64mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-siem-cloudtrail"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,34 +1,34 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "Looks for AWS API calls that, while not inherently suspicious or abnormal, are sourcing from a geolocation (country) that is unusual. This can be the result of compromised credentials or keys.",
|
||||
"groups": [
|
||||
"siem",
|
||||
"cloudtrail"
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "Security: Cloudtrail - Looks for AWS API calls that, while not inherently suspicious or abnormal, are sourcing from a geolocation (country) that is unusual. This can be the result of compromised credentials or keys.",
|
||||
"groups": [
|
||||
"security",
|
||||
"cloudtrail"
|
||||
],
|
||||
"analysis_config": {
|
||||
"bucket_span": "60m",
|
||||
"detectors": [
|
||||
{
|
||||
"detector_description": "rare by \"event.action\" partition by \"source.geo.country_iso_code\"",
|
||||
"function": "rare",
|
||||
"by_field_name": "event.action",
|
||||
"partition_field_name": "source.geo.country_iso_code"
|
||||
}
|
||||
],
|
||||
"analysis_config": {
|
||||
"bucket_span": "60m",
|
||||
"detectors": [
|
||||
{
|
||||
"detector_description": "rare by \"event.action\" partition by \"source.geo.country_iso_code\"",
|
||||
"function": "rare",
|
||||
"by_field_name": "event.action",
|
||||
"partition_field_name": "source.geo.country_iso_code"
|
||||
}
|
||||
],
|
||||
"influencers": [
|
||||
"aws.cloudtrail.user_identity.arn",
|
||||
"source.ip",
|
||||
"source.geo.country_iso_code"
|
||||
]
|
||||
},
|
||||
"allow_lazy_open": true,
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "64mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-siem-cloudtrail"
|
||||
}
|
||||
}
|
||||
"influencers": [
|
||||
"aws.cloudtrail.user_identity.arn",
|
||||
"source.ip",
|
||||
"source.geo.country_iso_code"
|
||||
]
|
||||
},
|
||||
"allow_lazy_open": true,
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "64mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-siem-cloudtrail"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,34 +1,34 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "Looks for AWS API calls that, while not inherently suspicious or abnormal, are sourcing from a user context that does not normally call the method. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfil data.",
|
||||
"groups": [
|
||||
"siem",
|
||||
"cloudtrail"
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "Security: Cloudtrail - Looks for AWS API calls that, while not inherently suspicious or abnormal, are sourcing from a user context that does not normally call the method. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfil data.",
|
||||
"groups": [
|
||||
"security",
|
||||
"cloudtrail"
|
||||
],
|
||||
"analysis_config": {
|
||||
"bucket_span": "60m",
|
||||
"detectors": [
|
||||
{
|
||||
"detector_description": "rare by \"event.action\" partition by \"user.name\"",
|
||||
"function": "rare",
|
||||
"by_field_name": "event.action",
|
||||
"partition_field_name": "user.name"
|
||||
}
|
||||
],
|
||||
"analysis_config": {
|
||||
"bucket_span": "60m",
|
||||
"detectors": [
|
||||
{
|
||||
"detector_description": "rare by \"event.action\" partition by \"user.name\"",
|
||||
"function": "rare",
|
||||
"by_field_name": "event.action",
|
||||
"partition_field_name": "user.name"
|
||||
}
|
||||
],
|
||||
"influencers": [
|
||||
"user.name",
|
||||
"source.ip",
|
||||
"source.geo.city_name"
|
||||
]
|
||||
},
|
||||
"allow_lazy_open": true,
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "128mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-siem-cloudtrail"
|
||||
}
|
||||
}
|
||||
"influencers": [
|
||||
"user.name",
|
||||
"source.ip",
|
||||
"source.geo.city_name"
|
||||
]
|
||||
},
|
||||
"allow_lazy_open": true,
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "128mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp"
|
||||
},
|
||||
"custom_settings": {
|
||||
"created_by": "ml-module-siem-cloudtrail"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
{
|
||||
"id": "siem_packetbeat",
|
||||
"title": "SIEM Packetbeat",
|
||||
"description": "Detect suspicious network activity in Packetbeat data (beta).",
|
||||
"title": "Security: Packetbeat",
|
||||
"description": "Detect suspicious network activity in Packetbeat data.",
|
||||
"type": "Packetbeat data",
|
||||
"logoFile": "logo.json",
|
||||
"defaultIndexPattern": "packetbeat-*",
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "SIEM Packetbeat: Looks for unusual DNS activity that could indicate command-and-control or data exfiltration activity (beta)",
|
||||
"description": "Security: Packetbeat - Looks for unusual DNS activity that could indicate command-and-control or data exfiltration activity.",
|
||||
"groups": [
|
||||
"siem",
|
||||
"security",
|
||||
"packetbeat",
|
||||
"dns"
|
||||
],
|
||||
|
|
@ -48,7 +48,7 @@
|
|||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "SIEM Packetbeat: Looks for unusual DNS activity that could indicate command-and-control activity (beta)",
|
||||
"description": "Security: Packetbeat - Looks for unusual DNS activity that could indicate command-and-control activity.",
|
||||
"groups": [
|
||||
"siem",
|
||||
"security",
|
||||
"packetbeat",
|
||||
"dns"
|
||||
],
|
||||
|
|
@ -31,7 +31,7 @@
|
|||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "SIEM Packetbeat: Looks for unusual HTTP or TLS destination domain activity that could indicate execution, persistence, command-and-control or data exfiltration activity (beta)",
|
||||
"description": "Security: Packetbeat - Looks for unusual HTTP or TLS destination domain activity that could indicate execution, persistence, command-and-control or data exfiltration activity.",
|
||||
"groups": [
|
||||
"siem",
|
||||
"security",
|
||||
"packetbeat",
|
||||
"web"
|
||||
],
|
||||
|
|
@ -33,7 +33,7 @@
|
|||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "SIEM Packetbeat: Looks for unusual web browsing URL activity that could indicate execution, persistence, command-and-control or data exfiltration activity (beta)",
|
||||
"description": "Security: Packetbeat - Looks for unusual web browsing URL activity that could indicate execution, persistence, command-and-control or data exfiltration activity.",
|
||||
"groups": [
|
||||
"siem",
|
||||
"security",
|
||||
"packetbeat",
|
||||
"web"
|
||||
],
|
||||
|
|
@ -32,7 +32,7 @@
|
|||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "SIEM Packetbeat: Looks for unusual HTTP user agent activity that could indicate execution, persistence, command-and-control or data exfiltration activity (beta)",
|
||||
"description": "Security: Packetbeat - Looks for unusual HTTP user agent activity that could indicate execution, persistence, command-and-control or data exfiltration activity.",
|
||||
"groups": [
|
||||
"siem",
|
||||
"security",
|
||||
"packetbeat",
|
||||
"web"
|
||||
],
|
||||
|
|
@ -14,7 +14,7 @@
|
|||
"function": "rare",
|
||||
"by_field_name": "user_agent.original"
|
||||
}
|
||||
],
|
||||
],
|
||||
"influencers": [
|
||||
"host.name",
|
||||
"destination.ip"
|
||||
|
|
@ -32,7 +32,7 @@
|
|||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
{
|
||||
"id": "siem_winlogbeat",
|
||||
"title": "SIEM Winlogbeat",
|
||||
"description": "Detect unusual processes and network activity in Winlogbeat data (beta).",
|
||||
"title": "Security: Winlogbeat",
|
||||
"description": "Detect unusual processes and network activity in Winlogbeat data.",
|
||||
"type": "Winlogbeat data",
|
||||
"logoFile": "logo.json",
|
||||
"defaultIndexPattern": "winlogbeat-*",
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "SIEM Winlogbeat: Detect unusually rare processes on Windows (beta)",
|
||||
"description": "Security: Winlogbeat - Detect unusually rare processes on Windows.",
|
||||
"groups": [
|
||||
"siem",
|
||||
"security",
|
||||
"winlogbeat",
|
||||
"process"
|
||||
],
|
||||
|
|
@ -34,20 +34,20 @@
|
|||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by process name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "SIEM Winlogbeat: Looks for unusual processes using the network which could indicate command-and-control, lateral movement, persistence, or data exfiltration activity (beta)",
|
||||
"description": "Security: Winlogbeat - Looks for unusual processes using the network which could indicate command-and-control, lateral movement, persistence, or data exfiltration activity.",
|
||||
"groups": [
|
||||
"siem",
|
||||
"security",
|
||||
"winlogbeat",
|
||||
"network"
|
||||
],
|
||||
|
|
@ -34,19 +34,19 @@
|
|||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by process name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,11 +1,11 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"groups": [
|
||||
"siem",
|
||||
"security",
|
||||
"winlogbeat",
|
||||
"process"
|
||||
],
|
||||
"description": "SIEM Winlogbeat: Looks for activity in unusual paths that may indicate execution of malware or persistence mechanisms. Windows payloads often execute from user profile paths (beta)",
|
||||
"description": "Security: Winlogbeat - Looks for activity in unusual paths that may indicate execution of malware or persistence mechanisms. Windows payloads often execute from user profile paths.",
|
||||
"analysis_config": {
|
||||
"bucket_span": "15m",
|
||||
"detectors": [
|
||||
|
|
@ -33,20 +33,20 @@
|
|||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by process name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "SIEM Winlogbeat: Looks for processes that are unusual to all Windows hosts. Such unusual processes may indicate execution of unauthorized services, malware, or persistence mechanisms (beta)",
|
||||
"description": "Security: Winlogbeat - Looks for processes that are unusual to all Windows hosts. Such unusual processes may indicate execution of unauthorized services, malware, or persistence mechanisms.",
|
||||
"groups": [
|
||||
"siem",
|
||||
"security",
|
||||
"winlogbeat",
|
||||
"process"
|
||||
],
|
||||
|
|
@ -33,19 +33,19 @@
|
|||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by process name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,11 +1,11 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"groups": [
|
||||
"siem",
|
||||
"security",
|
||||
"winlogbeat",
|
||||
"process"
|
||||
],
|
||||
"description": "SIEM Winlogbeat: Looks for unusual process relationships which may indicate execution of malware or persistence mechanisms (beta)",
|
||||
"description": "Security: Winlogbeat - Looks for unusual process relationships which may indicate execution of malware or persistence mechanisms.",
|
||||
"analysis_config": {
|
||||
"bucket_span": "15m",
|
||||
"detectors": [
|
||||
|
|
@ -33,20 +33,20 @@
|
|||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by process name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "SIEM Winlogbeat: Looks for unusual powershell scripts that may indicate execution of malware, or persistence mechanisms (beta)",
|
||||
"description": "Security: Winlogbeat - Looks for unusual powershell scripts that may indicate execution of malware, or persistence mechanisms.",
|
||||
"groups": [
|
||||
"siem",
|
||||
"security",
|
||||
"winlogbeat",
|
||||
"powershell"
|
||||
],
|
||||
|
|
@ -33,12 +33,12 @@
|
|||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,11 +1,11 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"groups": [
|
||||
"siem",
|
||||
"winlogbeat",
|
||||
"system"
|
||||
"security",
|
||||
"winlogbeat",
|
||||
"system"
|
||||
],
|
||||
"description": "SIEM Winlogbeat: Looks for rare and unusual Windows services which may indicate execution of unauthorized services, malware, or persistence mechanisms (beta)",
|
||||
"description": "Security: Winlogbeat - Looks for rare and unusual Windows services which may indicate execution of unauthorized services, malware, or persistence mechanisms.",
|
||||
"analysis_config": {
|
||||
"bucket_span": "15m",
|
||||
"detectors": [
|
||||
|
|
@ -32,7 +32,7 @@
|
|||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "SIEM Winlogbeat: Rare and unusual users that are not normally active may indicate unauthorized changes or activity by an unauthorized user which may be credentialed access or lateral movement (beta)",
|
||||
"description": "Security: Winlogbeat - Rare and unusual users that are not normally active may indicate unauthorized changes or activity by an unauthorized user which may be credentialed access or lateral movement.",
|
||||
"groups": [
|
||||
"siem",
|
||||
"security",
|
||||
"winlogbeat",
|
||||
"process"
|
||||
],
|
||||
|
|
@ -33,19 +33,19 @@
|
|||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by process name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "SIEM Winlogbeat: Unusual user context switches can be due to privilege escalation (beta)",
|
||||
"description": "Security: Winlogbeat - Unusual user context switches can be due to privilege escalation.",
|
||||
"groups": [
|
||||
"siem",
|
||||
"security",
|
||||
"winlogbeat",
|
||||
"authentication"
|
||||
],
|
||||
|
|
@ -33,19 +33,19 @@
|
|||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by process name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
{
|
||||
"id": "siem_winlogbeat_auth",
|
||||
"title": "SIEM Winlogbeat Authentication",
|
||||
"description": "Detect suspicious authentication events in Winlogbeat data (beta).",
|
||||
"title": "Security: Winlogbeat Authentication",
|
||||
"description": "Detect suspicious authentication events in Winlogbeat data.",
|
||||
"type": "Winlogbeat data",
|
||||
"logoFile": "logo.json",
|
||||
"defaultIndexPattern": "winlogbeat-*",
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "SIEM Winlogbeat Auth: Unusual RDP (remote desktop protocol) user logins can indicate account takeover or credentialed access (beta)",
|
||||
"description": "Security: Winlogbeat Auth - Unusual RDP (remote desktop protocol) user logins can indicate account takeover or credentialed access.",
|
||||
"groups": [
|
||||
"siem",
|
||||
"security",
|
||||
"winlogbeat",
|
||||
"authentication"
|
||||
],
|
||||
|
|
@ -33,19 +33,19 @@
|
|||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Details by process name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Host Details by user name",
|
||||
"url_value": "siem#/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by process name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
},
|
||||
{
|
||||
"url_name": "Hosts Overview by user name",
|
||||
"url_value": "siem#/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
"url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue