Skip to content

Commit

Permalink
[ML] Minor edits in prebuilt job descriptions (#132633)
Browse files Browse the repository at this point in the history
  • Loading branch information
lcawl authored May 20, 2022
1 parent ecca231 commit 6fc2fff
Show file tree
Hide file tree
Showing 8 changed files with 8 additions and 8 deletions.
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"job_type": "anomaly_detector",
"description": "Security: Authentication - looks for an unusually large spike in successful authentication events. This can be due to password spraying, user enumeration or brute force activity.",
"description": "Security: Authentication - Looks for an unusually large spike in successful authentication events. This can be due to password spraying, user enumeration, or brute force activity.",
"groups": [
"security",
"authentication"
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"job_type": "anomaly_detector",
"description": "Security: Authentication - looks for an unusually large spike in successful authentication events from a particular source IP address. This can be due to password spraying, user enumeration or brute force activity.",
"description": "Security: Authentication - Looks for an unusually large spike in successful authentication events from a particular source IP address. This can be due to password spraying, user enumeration, or brute force activity.",
"groups": [
"security",
"authentication"
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"job_type": "anomaly_detector",
"description": "Security: Authentication - looks for an unusually large spike in authentication failure events. This can be due to password spraying, user enumeration or brute force activity and may be a precursor to account takeover or credentialed access.",
"description": "Security: Authentication - Looks for an unusually large spike in authentication failure events. This can be due to password spraying, user enumeration, or brute force activity and may be a precursor to account takeover or credentialed access.",
"groups": [
"security",
"authentication"
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"id": "security_linux_v3",
"title": "Security: Linux",
"description": "Anomaly detection jobs for Linux host based threat hunting and detection.",
"description": "Anomaly detection jobs for Linux host-based threat hunting and detection.",
"type": "linux data",
"logoFile": "logo.json",
"defaultIndexPattern": "auditbeat-*,logs-*",
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"job_type": "anomaly_detector",
"description": "Security: Network - looks for an unusually large spike in network activity to one destination country in the network logs. This could be due to unusually large amounts of reconnaissance or enumeration traffic. Data exfiltration activity may also produce such a surge in traffic to a destination country which does not normally appear in network traffic or business work-flows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.",
"description": "Security: Network - Looks for an unusually large spike in network activity to one destination country in the network logs. This could be due to unusually large amounts of reconnaissance or enumeration traffic. Data exfiltration activity may also produce such a surge in traffic to a destination country which does not normally appear in network traffic or business work-flows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.",
"groups": [
"security",
"network"
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"job_type": "anomaly_detector",
"description": "Security: Network - looks for an unusually large spike in network traffic that was denied by network ACLs or firewall rules. Such a burst of denied traffic is usually either 1) a misconfigured application or firewall or 2) suspicious or malicious activity. Unsuccessful attempts at network transit, in order to connect to command-and-control (C2), or engage in data exfiltration, may produce a burst of failed connections. This could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.",
"description": "Security: Network - Looks for an unusually large spike in network traffic that was denied by network ACLs or firewall rules. Such a burst of denied traffic is usually either 1) a misconfigured application or firewall or 2) suspicious or malicious activity. Unsuccessful attempts at network transit, in order to connect to command-and-control (C2), or engage in data exfiltration, may produce a burst of failed connections. This could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.",
"groups": [
"security",
"network"
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"job_type": "anomaly_detector",
"description": "Security: Network - looks for an unusually large spike in network traffic. Such a burst of traffic, if not caused by a surge in business activity, can be due to suspicious or malicious activity. Large-scale data exfiltration may produce a burst of network traffic; this could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.",
"description": "Security: Network - Looks for an unusually large spike in network traffic. Such a burst of traffic, if not caused by a surge in business activity, can be due to suspicious or malicious activity. Large-scale data exfiltration may produce a burst of network traffic; this could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.",
"groups": [
"security",
"network"
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"id": "security_windows_v3",
"title": "Security: Windows",
"description": "Anomaly detection jobs for Windows host based threat hunting and detection.",
"description": "Anomaly detection jobs for Windows host-based threat hunting and detection.",
"type": "windows data",
"logoFile": "logo.json",
"defaultIndexPattern": "winlogbeat-*,logs-*",
Expand Down

0 comments on commit 6fc2fff

Please sign in to comment.