From 8b28a515c1bd204c9f77c19b47d5fc78c9445bf4 Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Tue, 28 May 2024 14:21:46 -0500 Subject: [PATCH] Update rule setup instructions for UEBA packages (#3652) * update detection-rules instructions for UEBA packages --------- Co-authored-by: Susan <23287722+susan-shu-c@users.noreply.github.com> --- .../command_and_control_beaconing.toml | 2 +- ...and_control_beaconing_high_confidence.toml | 2 +- ...ytes_destination_geo_country_iso_code.toml | 10 +---- ...ltration_ml_high_bytes_destination_ip.toml | 10 +---- ...ration_ml_high_bytes_destination_port.toml | 10 +---- ...ml_high_bytes_destination_region_name.toml | 10 +---- ...high_bytes_written_to_external_device.toml | 10 +---- ...es_written_to_external_device_airdrop.toml | 10 +---- ...re_process_writing_to_external_device.toml | 10 +---- ...ml_dga_activity_using_sunburst_domain.toml | 28 +------------ ...d_control_ml_dga_high_sum_probability.toml | 28 +------------ ...l_ml_dns_request_high_dga_probability.toml | 28 +------------ ..._request_predicted_to_be_a_dga_domain.toml | 28 +------------ ...ovement_ml_high_mean_rdp_process_args.toml | 11 +----- ...ent_ml_high_mean_rdp_session_duration.toml | 11 +----- ...ral_movement_ml_high_remote_file_size.toml | 10 +---- ...ml_high_variance_rdp_session_duration.toml | 11 +----- ...ovement_ml_rare_remote_file_directory.toml | 10 +---- ...ovement_ml_rare_remote_file_extension.toml | 10 +---- ...spike_in_connections_from_a_source_ip.toml | 11 +----- ...ke_in_connections_to_a_destination_ip.toml | 11 +----- ...al_movement_ml_spike_in_rdp_processes.toml | 11 +----- ...ent_ml_spike_in_remote_file_transfers.toml | 10 +---- ...nt_ml_unusual_time_for_an_rdp_session.toml | 11 +----- ...se_evasion_ml_rare_process_for_a_host.toml | 39 +------------------ ..._ml_rare_process_for_a_parent_process.toml | 39 +------------------ ...se_evasion_ml_rare_process_for_a_user.toml | 39 +------------------ ...e_evasion_ml_suspicious_windows_event.toml | 31 +-------------- ...icious_windows_event_high_probability.toml | 31 +-------------- ...ous_windows_process_cluster_from_host.toml | 39 +------------------ ...s_process_cluster_from_parent_process.toml | 39 +------------------ ...ous_windows_process_cluster_from_user.toml | 39 +------------------ 32 files changed, 62 insertions(+), 537 deletions(-) diff --git a/rules/integrations/beaconing/command_and_control_beaconing.toml b/rules/integrations/beaconing/command_and_control_beaconing.toml index 6d34829676a..d3de0468ac4 100644 --- a/rules/integrations/beaconing/command_and_control_beaconing.toml +++ b/rules/integrations/beaconing/command_and_control_beaconing.toml @@ -35,7 +35,7 @@ The Network Beaconing Identification integration consists of a statistical frame #### The following steps should be executed to install assets associated with the Network Beaconing Identification integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Network Beaconing Identification and select the integration to see more details about it. -- Under Settings, click "Install Network Beaconing Identification assets" and follow the prompts to install the assets. +- Follow the instructions under the **Installation** section. """ references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", diff --git a/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml b/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml index c716a31cd6e..d14ed4e45ea 100644 --- a/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml +++ b/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml @@ -35,7 +35,7 @@ The Network Beaconing Identification integration consists of a statistical frame #### The following steps should be executed to install assets associated with the Network Beaconing Identification integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Network Beaconing Identification and select the integration to see more details about it. -- Under Settings, click "Install Network Beaconing Identification assets" and follow the prompts to install the assets. +- Follow the instructions under the **Installation** section. """ references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml index 55bf68afc0f..fc951b330cb 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml @@ -41,14 +41,8 @@ The Data Exfiltration Detection integration detects data exfiltration activity b #### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it. -- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets. - -#### Anomaly Detection Setup -Before you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your network data. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `logs-network_traffic.*` if you used Network Packet Capture. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". -- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml index 88a012b6e29..350448b6a9b 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml @@ -41,14 +41,8 @@ The Data Exfiltration Detection integration detects data exfiltration activity b #### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it. -- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets. - -#### Anomaly Detection Setup -Before you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your network data. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `logs-network_traffic.*` if you used Network Packet Capture. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". -- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml index 20d6850ca12..119651afe53 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml @@ -40,14 +40,8 @@ The Data Exfiltration Detection integration detects data exfiltration activity b #### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it. -- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets. - -#### Anomaly Detection Setup -Before you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your network data. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `logs-network_traffic.*` if you used Network Packet Capture. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". -- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml index 1a3e7ef8555..b66d2fcbc9f 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml @@ -41,14 +41,8 @@ The Data Exfiltration Detection integration detects data exfiltration activity b #### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it. -- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets. - -#### Anomaly Detection Setup -Before you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your network data. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `logs-network_traffic.*` if you used Network Packet Capture. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". -- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml index b62f5b16920..39917340b0a 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml @@ -40,14 +40,8 @@ The Data Exfiltration Detection integration detects data exfiltration activity b #### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it. -- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets. - -#### Anomaly Detection Setup -Before you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". -- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml index d484668f893..9236fbdd189 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml @@ -41,14 +41,8 @@ The Data Exfiltration Detection integration detects data exfiltration activity b #### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it. -- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets. - -#### Anomaly Detection Setup -Before you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". -- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml b/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml index fc98cc66a3f..ea9d9ea5633 100644 --- a/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml +++ b/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml @@ -40,14 +40,8 @@ The Data Exfiltration Detection integration detects data exfiltration activity b #### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it. -- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets. - -#### Anomaly Detection Setup -Before you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". -- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml b/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml index 47b2a9d9957..9511cf51e24 100644 --- a/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml +++ b/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml @@ -40,32 +40,8 @@ The DGA Detection integration consists of an ML-based framework to detect DGA ac #### The following steps should be executed to install assets associated with the DGA Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it. -- Under Settings, click Install Domain Generation Algorithm Detection assets and follow the prompts to install the assets. - -#### Ingest Pipeline Setup -Before you can enable this rule, you'll need to enrich DNS events with predictions from the Supervised DGA Detection model. This is done via the ingest pipeline named `-ml_dga_ingest_pipeline` installed with the DGA Detection package. -- If using an Elastic Beat such as Packetbeat, add the DGA ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `packetbeat.yml`. -- If adding the DGA ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). - -#### Adding Custom Mappings -- Go to the Kibana homepage. Under Management, click Stack Management. -- Under Data click Index Management and navigate to the Component Templates tab. -- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the DGA ingest pipeline to, by pasting the following JSON blob in the "Load JSON" flyout: -``` -{ - "properties": { - "ml_is_dga": { - "properties": { - "malicious_prediction": { - "type": "long" - }, - "malicious_probability": { - "type": "float" - } - } - } - } -} +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Configure the ingest pipeline**. ``` """ severity = "critical" diff --git a/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml b/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml index 0830449ff22..0832692ebbb 100644 --- a/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml +++ b/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml @@ -42,32 +42,8 @@ The DGA Detection integration consists of an ML-based framework to detect DGA ac #### The following steps should be executed to install assets associated with the DGA Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it. -- Under Settings, click Install Domain Generation Algorithm Detection assets and follow the prompts to install the assets. - -#### Ingest Pipeline Setup -Before you can enable this rule, you'll need to enrich DNS events with predictions from the Supervised DGA Detection model. This is done via the ingest pipeline named `-ml_dga_ingest_pipeline` installed with the DGA Detection package. -- If using an Elastic Beat such as Packetbeat, add the DGA ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `packetbeat.yml`. -- If adding the DGA ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). - -#### Adding Custom Mappings -- Go to the Kibana homepage. Under Management, click Stack Management. -- Under Data click Index Management and navigate to the Component Templates tab. -- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the DGA ingest pipeline to, by pasting the following JSON blob in the "Load JSON" flyout: -``` -{ - "properties": { - "ml_is_dga": { - "properties": { - "malicious_prediction": { - "type": "long" - }, - "malicious_probability": { - "type": "float" - } - } - } - } -} +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. ``` ### Anomaly Detection Setup diff --git a/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml b/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml index dca1fb0b3b9..5d7e802bb9b 100644 --- a/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml +++ b/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml @@ -40,32 +40,8 @@ The DGA Detection integration consists of an ML-based framework to detect DGA ac #### The following steps should be executed to install assets associated with the DGA Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it. -- Under Settings, click Install Domain Generation Algorithm Detection assets and follow the prompts to install the assets. - -#### Ingest Pipeline Setup -Before you can enable this rule, you'll need to enrich DNS events with predictions from the Supervised DGA Detection model. This is done via the ingest pipeline named `-ml_dga_ingest_pipeline` installed with the DGA Detection package. -- If using an Elastic Beat such as Packetbeat, add the DGA ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `packetbeat.yml`. -- If adding the DGA ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). - -#### Adding Custom Mappings -- Go to the Kibana homepage. Under Management, click Stack Management. -- Under Data click Index Management and navigate to the Component Templates tab. -- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the DGA ingest pipeline to, by pasting the following JSON blob in the "Load JSON" flyout: -``` -{ - "properties": { - "ml_is_dga": { - "properties": { - "malicious_prediction": { - "type": "long" - }, - "malicious_probability": { - "type": "float" - } - } - } - } -} +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Configure the ingest pipeline**. ``` """ severity = "low" diff --git a/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml b/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml index ef50f101169..d86110729a8 100644 --- a/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml +++ b/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml @@ -40,32 +40,8 @@ The DGA Detection integration consists of an ML-based framework to detect DGA ac #### The following steps should be executed to install assets associated with the DGA Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it. -- Under Settings, click Install Domain Generation Algorithm Detection assets and follow the prompts to install the assets. - -#### Ingest Pipeline Setup -Before you can enable this rule, you'll need to enrich DNS events with predictions from the Supervised DGA Detection model. This is done via the ingest pipeline named `-ml_dga_ingest_pipeline` installed with the DGA Detection package. -- If using an Elastic Beat such as Packetbeat, add the DGA ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `packetbeat.yml`. -- If adding the DGA ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). - -#### Adding Custom Mappings -- Go to the Kibana homepage. Under Management, click Stack Management. -- Under Data click Index Management and navigate to the Component Templates tab. -- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the DGA ingest pipeline to, by pasting the following JSON blob in the "Load JSON" flyout: -``` -{ - "properties": { - "ml_is_dga": { - "properties": { - "malicious_prediction": { - "type": "long" - }, - "malicious_probability": { - "type": "float" - } - } - } - } -} +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Configure the ingest pipeline**. ``` """ severity = "low" diff --git a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml index fdac1aa8b75..34ee5a28519 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml @@ -41,15 +41,8 @@ The Lateral Movement Detection integration detects lateral movement activity by #### The following steps should be executed to install assets associated with the Lateral Movement Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Lateral Movement Detection and select the integration to see more details about it. -- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets. - -#### Anomaly Detection Setup -Before you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs. -- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". -- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml index 619c08ec281..0b13d9e762e 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml @@ -41,15 +41,8 @@ The Lateral Movement Detection integration detects lateral movement activity by #### The following steps should be executed to install assets associated with the Lateral Movement Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Lateral Movement Detection and select the integration to see more details about it. -- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets. - -#### Anomaly Detection Setup -Before you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs. -- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". -- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml b/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml index f2930aca5a6..910d0e198f5 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml @@ -42,14 +42,8 @@ The Lateral Movement Detection integration detects lateral movement activity by #### The following steps should be executed to install assets associated with the Lateral Movement Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Lateral Movement Detection and select the integration to see more details about it. -- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets. - -#### Anomaly Detection Setup -Before you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". -- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml b/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml index f2072d40f55..9002606a3a3 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml @@ -41,15 +41,8 @@ The Lateral Movement Detection integration detects lateral movement activity by #### The following steps should be executed to install assets associated with the Lateral Movement Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Lateral Movement Detection and select the integration to see more details about it. -- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets. - -#### Anomaly Detection Setup -Before you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs. -- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". -- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml index 283fd17854a..95486b7b141 100644 --- a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml +++ b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml @@ -41,14 +41,8 @@ The Lateral Movement Detection integration detects lateral movement activity by #### The following steps should be executed to install assets associated with the Lateral Movement Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Lateral Movement Detection and select the integration to see more details about it. -- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets. - -#### Anomaly Detection Setup -Before you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". -- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml index fad3bd17f58..e652d49aef9 100644 --- a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml +++ b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml @@ -40,14 +40,8 @@ The Lateral Movement Detection integration detects lateral movement activity by #### The following steps should be executed to install assets associated with the Lateral Movement Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Lateral Movement Detection and select the integration to see more details about it. -- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets. - -#### Anomaly Detection Setup -Before you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". -- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml index 0c1dccd6c10..f2f1c672314 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml @@ -41,15 +41,8 @@ The Lateral Movement Detection integration detects lateral movement activity by #### The following steps should be executed to install assets associated with the Lateral Movement Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Lateral Movement Detection and select the integration to see more details about it. -- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets. - -#### Anomaly Detection Setup -Before you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs. -- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". -- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml index d3193f054d7..b155d1cd313 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml @@ -41,15 +41,8 @@ The Lateral Movement Detection integration detects lateral movement activity by #### The following steps should be executed to install assets associated with the Lateral Movement Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Lateral Movement Detection and select the integration to see more details about it. -- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets. - -#### Anomaly Detection Setup -Before you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs. -- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". -- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml index cdb15b8e932..6da8b35fb4b 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml @@ -40,15 +40,8 @@ The Lateral Movement Detection integration detects lateral movement activity by #### The following steps should be executed to install assets associated with the Lateral Movement Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Lateral Movement Detection and select the integration to see more details about it. -- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets. - -#### Anomaly Detection Setup -Before you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs. -- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". -- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml index 7abc56dfef5..793014dff2b 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml @@ -42,14 +42,8 @@ The Lateral Movement Detection integration detects lateral movement activity by #### The following steps should be executed to install assets associated with the Lateral Movement Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Lateral Movement Detection and select the integration to see more details about it. -- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets. - -#### Anomaly Detection Setup -Before you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". -- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml b/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml index d16f9cba327..91706bb4f63 100644 --- a/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml +++ b/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml @@ -41,15 +41,8 @@ The Lateral Movement Detection integration detects lateral movement activity by #### The following steps should be executed to install assets associated with the Lateral Movement Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Lateral Movement Detection and select the integration to see more details about it. -- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets. - -#### Anomaly Detection Setup -Before you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs. -- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". -- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml index 7a71526db20..edab0155201 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml @@ -42,43 +42,8 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi #### The following steps should be executed to install assets associated with the LotL Attack Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it. -- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets. - -#### Ingest Pipeline Setup -**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package. -- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`. -- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle "Include hidden indices"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline). - -#### Adding Custom Mappings -- Go to the Kibana homepage. Under Management, click Stack Management. -- Under Data click Index Management and navigate to the Component Templates tab. -- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the "Load JSON" flyout: -``` -{ - "properties": { - "problemchild": { - "properties": { - "prediction": { - "type": "long" - }, - "prediction_probability": { - "type": "float" - } - } - }, - "blocklist_label": { - "type": "long" - } - } -} -``` - -### Anomaly Detection Setup -**Before you can enable this rule**, you'll need to enable the corresponding Anomaly Detection job. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: If the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and check whether any ProblemChild predictions have been generated. -- Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml index eda57d0433b..f0725aa911c 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml @@ -42,43 +42,8 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi #### The following steps should be executed to install assets associated with the LotL Attack Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it. -- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets. - -#### Ingest Pipeline Setup -**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package. -- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`. -- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle "Include hidden indices"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline). - -#### Adding Custom Mappings -- Go to the Kibana homepage. Under Management, click Stack Management. -- Under Data click Index Management and navigate to the Component Templates tab. -- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the "Load JSON" flyout: -``` -{ - "properties": { - "problemchild": { - "properties": { - "prediction": { - "type": "long" - }, - "prediction_probability": { - "type": "float" - } - } - }, - "blocklist_label": { - "type": "long" - } - } -} -``` - -### Anomaly Detection Setup -**Before you can enable this rule**, you'll need to enable the corresponding Anomaly Detection job. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet. -- Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml index c9039de7f75..b61fba1800f 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml @@ -43,43 +43,8 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi #### The following steps should be executed to install assets associated with the LotL Attack Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it. -- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets. - -#### Ingest Pipeline Setup -**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package. -- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`. -- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle "Include hidden indices"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline). - -#### Adding Custom Mappings -- Go to the Kibana homepage. Under Management, click Stack Management. -- Under Data click Index Management and navigate to the Component Templates tab. -- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the "Load JSON" flyout: -``` -{ - "properties": { - "problemchild": { - "properties": { - "prediction": { - "type": "long" - }, - "prediction_probability": { - "type": "float" - } - } - }, - "blocklist_label": { - "type": "long" - } - } -} -``` - -### Anomaly Detection Setup -**Before you can enable this rule**, you'll need to enable the corresponding Anomaly Detection job. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet. -- Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml index 7b8a91cef65..e2d62ad5dbd 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml @@ -40,35 +40,8 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi #### The following steps should be executed to install assets associated with the LotL Attack Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it. -- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets. - -#### Ingest Pipeline Setup -**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package. -- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`. -- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle "Include hidden indices"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline). - -#### Adding Custom Mappings -- Go to the Kibana homepage. Under Management, click Stack Management. -- Under Data click Index Management and navigate to the Component Templates tab. -- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the "Load JSON" flyout: -``` -{ - "properties": { - "problemchild": { - "properties": { - "prediction": { - "type": "long" - }, - "prediction_probability": { - "type": "float" - } - } - }, - "blocklist_label": { - "type": "long" - } - } -} +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Configure the ingest pipeline**. ``` """ severity = "low" diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml index c134556b6f8..54e0164554c 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml @@ -40,35 +40,8 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi #### The following steps should be executed to install assets associated with the LotL Attack Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it. -- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets. - -#### Ingest Pipeline Setup -**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package. -- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`. -- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle "Include hidden indices"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline). - -#### Adding Custom Mappings -- Go to the Kibana homepage. Under Management, click Stack Management. -- Under Data click Index Management and navigate to the Component Templates tab. -- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the "Load JSON" flyout: -``` -{ - "properties": { - "problemchild": { - "properties": { - "prediction": { - "type": "long" - }, - "prediction_probability": { - "type": "float" - } - } - }, - "blocklist_label": { - "type": "long" - } - } -} +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Configure the ingest pipeline**. ``` """ severity = "low" diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml index bfb17d0f270..cd4ee918704 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml @@ -44,43 +44,8 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi #### The following steps should be executed to install assets associated with the LotL Attack Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it. -- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets. - -#### Ingest Pipeline Setup -**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package. -- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`. -- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle "Include hidden indices"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline). - -#### Adding Custom Mappings -- Go to the Kibana homepage. Under Management, click Stack Management. -- Under Data click Index Management and navigate to the Component Templates tab. -- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the "Load JSON" flyout: -``` -{ - "properties": { - "problemchild": { - "properties": { - "prediction": { - "type": "long" - }, - "prediction_probability": { - "type": "float" - } - } - }, - "blocklist_label": { - "type": "long" - } - } -} -``` - -### Anomaly Detection Setup -**Before you can enable this rule**, you'll need to enable the corresponding Anomaly Detection job. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet. -- Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml index f8a89d0a9fa..9b7646f308c 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml @@ -44,43 +44,8 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi #### The following steps should be executed to install assets associated with the LotL Attack Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it. -- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets. - -#### Ingest Pipeline Setup -**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package. -- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`. -- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle "Include hidden indices"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline). - -#### Adding Custom Mappings -- Go to the Kibana homepage. Under Management, click Stack Management. -- Under Data click Index Management and navigate to the Component Templates tab. -- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the "Load JSON" flyout: -``` -{ - "properties": { - "problemchild": { - "properties": { - "prediction": { - "type": "long" - }, - "prediction_probability": { - "type": "float" - } - } - }, - "blocklist_label": { - "type": "long" - } - } -} -``` - -### Anomaly Detection Setup -**Before you can enable this rule**, you'll need to enable the corresponding Anomaly Detection job. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet. -- Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [ diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml index 98ff9844090..8e2533acf31 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml @@ -44,43 +44,8 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi #### The following steps should be executed to install assets associated with the LotL Attack Detection integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it. -- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets. - -#### Ingest Pipeline Setup -**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package. -- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`. -- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle "Include hidden indices"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline). - -#### Adding Custom Mappings -- Go to the Kibana homepage. Under Management, click Stack Management. -- Under Data click Index Management and navigate to the Component Templates tab. -- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the "Load JSON" flyout: -``` -{ - "properties": { - "problemchild": { - "properties": { - "prediction": { - "type": "long" - }, - "prediction_probability": { - "type": "float" - } - } - }, - "blocklist_label": { - "type": "long" - } - } -} -``` - -### Anomaly Detection Setup -**Before you can enable this rule**, you'll need to enable the corresponding Anomaly Detection job. -- Go to the Kibana homepage. Under Analytics, click Machine Learning. -- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat. -- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet. -- Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. """ severity = "low" tags = [