Skip to content

ML-experimental-detections-20210602-4

Pre-release
Pre-release
Compare
Choose a tag to compare
@brokensound77 brokensound77 released this 03 Jun 01:27
· 1475 commits to main since this release
ML-experimental-detections-20210602-4
7040538
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

changelog

Rules are now stored as ndjson files rather than in toml format, to allow for importing via Kibana

detections added

problem child

  • ML jobs
    • problem_child_high_sum_by_parent
    • problem_child_high_sum_by_host
    • problem_child_high_sum_by_user
    • problem_child_rare_process_by_parent
    • problem_child_rare_process_by_host
    • problem_child_rare_process_by_user
  • Experimental Rules
    • 34184d4e-ef61-477b-8d76-5c93448c29bf: Search rule to detect on malicious activity predicted by the supervised ProblemChild model
    • 9a2e372a-cbeb-4ad6-a288-017ef086324c: Search rule to detect on malicious activity predicted by the supervised ProblemChild model with high probability
    • 9b98d945-2cce-45e5-aa84-4b021af0e153: ML rule to detect on malicious parent-child activity identified by an ML job
    • 86d57ec4-ace5-4456-8145-02e6f0cdd71a: ML rule to detect on malicious process activity from a particular host, identified by an ML job
    • ff590871-371b-468f-8cd8-2876b54c53bd: ML rule to detect on malicious process activity from a particular user, identified by an ML job
    • ae7c2f69-0c51-4b02-ad54-d3d75023da8b: ML rule to detect a rare process spawned by a parent process, identified by an ML job
    • 415d6863-7676-401f-aa8d-62f59a28e849: ML rule to detect a rare process spawned on a host, identified by an ML job
    • a5cb4cd7-ba05-47e8-a815-f95c21719ded: ML rule to detect a rare process spawned on a user, identified by an ML job

DGA

Updated file names and job ID references

Registry of experimental detections

Experimental detections

expand to view
  • rules and dashboards can be imported via Kibana
  • jobs and datafeeds can be imported using the CLI or Kibana devtools

Refer to the experimental-maching-learning docs for more details

detection ID type relative path
problem_child_high_sum_by_parent anomaly_detection problem_child/anomaly_detection/problem_child_high_sum_by_parent.json
problem_child_high_sum_by_user anomaly_detection problem_child/anomaly_detection/problem_child_high_sum_by_user.json
problem_child_rare_process_by_parent anomaly_detection problem_child/anomaly_detection/problem_child_rare_process_by_parent.json
problem_child_rare_process_by_user anomaly_detection problem_child/anomaly_detection/problem_child_rare_process_by_user.json
problem_child_high_sum_by_host anomaly_detection problem_child/anomaly_detection/problem_child_high_sum_by_host.json
problem_child_rare_process_by_host anomaly_detection problem_child/anomaly_detection/problem_child_rare_process_by_host.json
problem_child_high_sum_by_parent datafeed problem_child/datafeed/problem_child_high_sum_by_parent.json
problem_child_high_sum_by_user datafeed problem_child/datafeed/problem_child_high_sum_by_user.json
problem_child_rare_process_by_parent datafeed problem_child/datafeed/problem_child_rare_process_by_parent.json
problem_child_rare_process_by_user datafeed problem_child/datafeed/problem_child_rare_process_by_user.json
problem_child_high_sum_by_host datafeed problem_child/datafeed/problem_child_high_sum_by_host.json
problem_child_rare_process_by_host datafeed problem_child/datafeed/problem_child_rare_process_by_host.json
9a2e372a-cbeb-4ad6-a288-017ef086324c rule problem_child/rule/problem_child_ml_high_probability_suspicious_windows_event.ndjson
a5cb4cd7-ba05-47e8-a815-f95c21719ded rule problem_child/rule/problem_child_ml_rare_suspicious_process_by_user.ndjson
9b98d945-2cce-45e5-aa84-4b021af0e153 rule problem_child/rule/problem_child_ml_suspicious_process_cluster_by_parent.ndjson
ff590871-371b-468f-8cd8-2876b54c53bd rule problem_child/rule/problem_child_ml_suspicious_process_cluster_by_user.ndjson
ae7c2f69-0c51-4b02-ad54-d3d75023da8b rule problem_child/rule/problem_child_ml_rare_suspicious_process_by_parent.ndjson
34184d4e-ef61-477b-8d76-5c93448c29bf rule problem_child/rule/problem_child_ml_predicted_suspicious_windows_event.ndjson
415d6863-7676-401f-aa8d-62f59a28e849 rule problem_child/rule/problem_child_ml_rare_suspicious_process_by_host.ndjson
86d57ec4-ace5-4456-8145-02e6f0cdd71a rule problem_child/rule/problem_child_ml_suspicious_process_cluster_by_host.ndjson
dga_high_sum_probability anomaly_detection dga/anomaly_detection/dga_high_sum_probability.json
dga_high_sum_probability datafeed dga/datafeed/dga_high_sum_probability.json
997ec71d-bddc-4513-b6f1-193f601fd420 rule dga/rule/dga_command_and_control_high_sum_scores.ndjson
170b35d4-d944-4264-a8ca-3118ae2e1534 rule dga/rule/dga_command_and_control_ml_sunburst_domain.ndjson
64116bb2-0f2c-4cf6-9df4-9973452b4d4b rule dga/rule/dga_command_and_control_ml_predicted_domain.ndjson
a020dadb-3da2-4252-91e9-b0fc148823e2 rule dga/rule/dga_command_and_control_ml_probable_domain.ndjson
None dashboard dga/dashboard/dga_dashboard.ndjson
Assets 4
Loading