Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixes terminology and doc links #54

Merged
merged 2 commits into from
Jul 13, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion rules/ml/ml_linux_anomalous_network_activity.toml
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ Signals from this rule indicate the presence of network activity from a Linux pr
- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?
- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business or maintenance process.
- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing."""
references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "52afbdc5-db15-485e-bc24-f5707f820c4b"
severity = "low"
Expand Down
2 changes: 1 addition & 1 deletion rules/ml/ml_linux_anomalous_network_port_activity.toml
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ interval = "15m"
license = "Elastic License"
machine_learning_job_id = "linux_anomalous_network_port_activity_ecs"
name = "Unusual Linux Network Port Activity"
references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "3c7e32e6-6104-46d9-a06e-da0f8b5795a0"
severity = "low"
Expand Down
2 changes: 1 addition & 1 deletion rules/ml/ml_linux_anomalous_network_service.toml
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ interval = "15m"
license = "Elastic License"
machine_learning_job_id = "linux_anomalous_network_service"
name = "Unusual Linux Network Service"
references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "52afbdc5-db15-596e-bc35-f5707f820c4b"
severity = "low"
Expand Down
2 changes: 1 addition & 1 deletion rules/ml/ml_linux_anomalous_network_url_activity.toml
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ interval = "15m"
license = "Elastic License"
machine_learning_job_id = "linux_anomalous_network_url_activity_ecs"
name = "Unusual Linux Web Activity"
references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "52afbdc5-db15-485e-bc35-f5707f820c4c"
severity = "low"
Expand Down
2 changes: 1 addition & 1 deletion rules/ml/ml_linux_anomalous_process_all_hosts.toml
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ Signals from this rule indicate the presence of a Linux process that is rare and
- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?
- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.
- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing."""
references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "647fc812-7996-4795-8869-9c4ea595fe88"
severity = "low"
Expand Down
2 changes: 1 addition & 1 deletion rules/ml/ml_linux_anomalous_user_name.toml
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ Signals from this rule indicate activity for a Linux user name that is rare and
- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to troubleshooting or debugging activity by a developer or site reliability engineer?
- Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.
- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing."""
references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "b347b919-665f-4aac-b9e8-68369bf2340c"
severity = "low"
Expand Down
2 changes: 1 addition & 1 deletion rules/ml/ml_packetbeat_dns_tunneling.toml
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ interval = "15m"
license = "Elastic License"
machine_learning_job_id = "packetbeat_dns_tunneling"
name = "DNS Tunneling"
references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "91f02f01-969f-4167-8f66-07827ac3bdd9"
severity = "low"
Expand Down
2 changes: 1 addition & 1 deletion rules/ml/ml_packetbeat_rare_dns_question.toml
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ interval = "15m"
license = "Elastic License"
machine_learning_job_id = "packetbeat_rare_dns_question"
name = "Unusual DNS Activity"
references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "746edc4c-c54c-49c6-97a1-651223819448"
severity = "low"
Expand Down
2 changes: 1 addition & 1 deletion rules/ml/ml_packetbeat_rare_server_domain.toml
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ interval = "15m"
license = "Elastic License"
machine_learning_job_id = "packetbeat_rare_server_domain"
name = "Unusual Network Destination Domain Name"
references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "17e68559-b274-4948-ad0b-f8415bb31126"
severity = "low"
Expand Down
2 changes: 1 addition & 1 deletion rules/ml/ml_packetbeat_rare_urls.toml
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ interval = "15m"
license = "Elastic License"
machine_learning_job_id = "packetbeat_rare_urls"
name = "Unusual Web Request"
references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "91f02f01-969f-4167-8f55-07827ac3acc9"
severity = "low"
Expand Down
2 changes: 1 addition & 1 deletion rules/ml/ml_packetbeat_rare_user_agent.toml
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ interval = "15m"
license = "Elastic License"
machine_learning_job_id = "packetbeat_rare_user_agent"
name = "Unusual Web User Agent"
references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "91f02f01-969f-4167-8d77-07827ac4cee0"
severity = "low"
Expand Down
2 changes: 1 addition & 1 deletion rules/ml/ml_rare_process_by_host_linux.toml
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ Signals from this rule indicate the presence of a Linux process that is rare and
- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?
- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.
- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing."""
references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "46f804f5-b289-43d6-a881-9387cf594f75"
severity = "low"
Expand Down
2 changes: 1 addition & 1 deletion rules/ml/ml_rare_process_by_host_windows.toml
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ Signals from this rule indicate the presence of a Windows process that is rare a
- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.
- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.
- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. """
references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "6d448b96-c922-4adb-b51c-b767f1ea5b76"
severity = "low"
Expand Down
2 changes: 1 addition & 1 deletion rules/ml/ml_suspicious_login_activity.toml
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ interval = "15m"
license = "Elastic License"
machine_learning_job_id = "suspicious_login_activity_ecs"
name = "Unusual Login Activity"
references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "4330272b-9724-4bc6-a3ca-f1532b81e5c2"
severity = "low"
Expand Down
2 changes: 1 addition & 1 deletion rules/ml/ml_windows_anomalous_network_activity.toml
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ Signals from this rule indicate the presence of network activity from a Windows
- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.
- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.
- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools."""
references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "ba342eb2-583c-439f-b04d-1fdd7c1417cc"
severity = "low"
Expand Down
2 changes: 1 addition & 1 deletion rules/ml/ml_windows_anomalous_path_activity.toml
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ interval = "15m"
license = "Elastic License"
machine_learning_job_id = "windows_anomalous_path_activity_ecs"
name = "Unusual Windows Path Activity"
references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "445a342e-03fb-42d0-8656-0367eb2dead5"
severity = "low"
Expand Down
2 changes: 1 addition & 1 deletion rules/ml/ml_windows_anomalous_process_all_hosts.toml
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ Signals from this rule indicate the presence of a Windows process that is rare a
- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.
- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.
- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. """
references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "6e40d56f-5c0e-4ac6-aece-bee96645b172"
severity = "low"
Expand Down
2 changes: 1 addition & 1 deletion rules/ml/ml_windows_anomalous_process_creation.toml
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ interval = "15m"
license = "Elastic License"
machine_learning_job_id = "windows_anomalous_process_creation"
name = "Anomalous Windows Process Creation"
references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5"
severity = "low"
Expand Down
2 changes: 1 addition & 1 deletion rules/ml/ml_windows_anomalous_script.toml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ interval = "15m"
license = "Elastic License"
machine_learning_job_id = "windows_anomalous_script"
name = "Suspicious Powershell Script"
references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "1781d055-5c66-4adf-9d60-fc0fa58337b6"
severity = "low"
Expand Down
2 changes: 1 addition & 1 deletion rules/ml/ml_windows_anomalous_service.toml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ interval = "15m"
license = "Elastic License"
machine_learning_job_id = "windows_anomalous_service"
name = "Unusual Windows Service"
references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "1781d055-5c66-4adf-9c71-fc0fa58338c7"
severity = "low"
Expand Down
2 changes: 1 addition & 1 deletion rules/ml/ml_windows_anomalous_user_name.toml
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ Signals from this rule indicate activity for a Windows user name that is rare an
- Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.
- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.
- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious."""
references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "1781d055-5c66-4adf-9c59-fc0fa58336a5"
severity = "low"
Expand Down
2 changes: 1 addition & 1 deletion rules/ml/ml_windows_rare_user_runas_event.toml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ interval = "15m"
license = "Elastic License"
machine_learning_job_id = "windows_rare_user_runas_event"
name = "Unusual Windows User Privilege Elevation Activity"
references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "1781d055-5c66-4adf-9d82-fc0fa58449c8"
severity = "low"
Expand Down
2 changes: 1 addition & 1 deletion rules/ml/ml_windows_rare_user_type10_remote_login.toml
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ note = """### Investigating an Unusual Windows User ###
Signals from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:
- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user?
- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?"""
references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"]
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "1781d055-5c66-4adf-9e93-fc0fa69550c9"
severity = "low"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,7 @@ false_positives = [
"""
Some proxied applications may use these ports but this usually occurs in local traffic using private IPs which this
rule does not match. Proxies are widely used as a security technology but in enterprise environments this is usually
local traffic which this rule does not match. Internet proxy services using these ports can be white-listed if
desired. Some screen recording applications may use these ports. Proxy port activity involving an unusual source or
local traffic which this rule does not match. If desired, internet proxy services using these ports can be added to allowlists. Some screen recording applications may use these ports. Proxy port activity involving an unusual source or
destination may be more suspicious. Some cloud environments may use this port when VPNs or direct connects are not
in use and cloud instances are accessed across the Internet. Because these ports are in the ephemeral range, this
rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ author = ["Elastic"]
description = """
Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature
validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass
application whitelisting and signature validation.
application allowlists and signature validation.
"""
index = ["winlogbeat-*"]
language = "kuery"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ updated_date = "2020/06/24"
author = ["Elastic"]
description = """
Identifies the native Windows tools regsvr32.exe and regsvr64.exe making a network connection. This may be indicative of
an attacker bypassing whitelisting or running arbitrary scripts via a signed Microsoft binary.
an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.
"""
false_positives = [
"""
Expand Down