Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ML] Adds new security module to detect anomalous activity in host-based logs #195582

Merged
merged 6 commits into from
Nov 27, 2024
+191 −1
Merged

[ML] Adds new security module to detect anomalous activity in host-based logs #195582

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
4135920
Add new prebuilt security module
sodhikirti07 Oct 8, 2024
ed39312
Add security_host to module list
sodhikirti07 Oct 11, 2024
2f203c8
change expected length of config to 19
sodhikirti07 Oct 11, 2024
f7ae3ec
Update detector description of the jobs
sodhikirti07 Oct 11, 2024
ccbfe65
add security_host to recognize_module.ts
sodhikirti07 Oct 11, 2024
3d9ca8b
Merge branch 'main' into kirti/prebuilt_security_jobs_add_new_module
elasticmachine Nov 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions x-pack/plugins/ml/server/models/data_recognizer/modules/security_host/logo.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
{
"icon": "logoSecurity"
}
60 changes: 60 additions & 0 deletions x-pack/plugins/ml/server/models/data_recognizer/modules/security_host/manifest.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
{
"id": "security_host",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You'll need to make edits to a couple of the test files to fix the test errors:

https://github.com/elastic/kibana/blob/main/x-pack/test/functional/services/ml/supplied_configurations.ts#L30 - up the expected length to 19 for the new module.

https://github.com/elastic/kibana/blob/main/x-pack/test/api_integration/apis/ml/modules/get_module.ts#L15 - add in security_host to the two arrays in this file (module IDs need to be in alphabetical order, so it will need to go in after security_cloudtrail.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry I missed this one which will also need updating - https://github.com/elastic/kibana/blob/main/x-pack/test/api_integration/apis/ml/modules/recognize_module.ts#L136 - add in security_host to the expected array in this file, after security_auth.

"title": "Security: Host",
"description": "Detect anomalous activity in your ECS-compatible host-based logs.",
"type": "Host data",
"logoFile": "logo.json",
"defaultIndexPattern": "auditbeat-*,logs-*,filebeat-*,winlogbeat-*",
"query": {
"bool": {
"filter": [
{
"exists": {
"field": "event.category"
}
},
{
"exists": {
"field": "host.name"
}
},
{
"exists": {
"field": "event.dataset"
}
},
{
"term": {
"event.outcome": "success"
}
}
],
"must_not": { "terms": { "_tier": ["data_frozen", "data_cold"] } }
}
},
"jobs": [
{
"id": "high_count_events_for_a_host_name",
"file": "high_count_events_for_a_host_name.json"
},
{
"id": "low_count_events_for_a_host_name",
"file": "low_count_events_for_a_host_name.json"
}
],
"datafeeds": [
{
"id": "datafeed-high_count_events_for_a_host_name",
"file": "datafeed_high_count_events_for_a_host_name.json",
"job_id": "high_count_events_for_a_host_name"
},
{
"id": "datafeed-low_count_events_for_a_host_name",
"file": "datafeed_low_count_events_for_a_host_name.json",
"job_id": "low_count_events_for_a_host_name"
}
],
"tags": [
"security"
]
}
33 changes: 33 additions & 0 deletions .../data_recognizer/modules/security_host/ml/datafeed_high_count_events_for_a_host_name.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"exists": {
"field": "event.category"
}
},
{
"exists": {
"field": "host.name"
}
},
{
"exists": {
"field": "event.dataset"
}
},
{
"term": {
"event.outcome": "success"
}
}
]
}
}
}
33 changes: 33 additions & 0 deletions ...s/data_recognizer/modules/security_host/ml/datafeed_low_count_events_for_a_host_name.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
{
"job_id": "JOB_ID",
"indices": [
"INDEX_PATTERN_NAME"
],
"max_empty_searches": 10,
"query": {
"bool": {
"filter": [
{
"exists": {
"field": "event.category"
}
},
{
"exists": {
"field": "host.name"
}
},
{
"exists": {
"field": "event.dataset"
}
},
{
"term": {
"event.outcome": "success"
}
}
]
}
}
}
29 changes: 29 additions & 0 deletions ...er/models/data_recognizer/modules/security_host/ml/high_count_events_for_a_host_name.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
{
"description": "Security: Host - Looks for a sudden spike in host based traffic. This can be due to a range of security issues, such as a compromised system, DDoS attacks, malware infections, privilege escalation, or data exfiltration.",
"groups": ["security", "host"],
"analysis_config": {
"bucket_span": "3h",
"detectors": [
{
"detector_description": "Detects high count of host based events.",
peteharverson marked this conversation as resolved.
Show resolved Hide resolved
"function": "high_count",
"partition_field_name": "host.name",
"detector_index": 0
}
],
"influencers": ["host.name", "host.ip", "event.dataset", "event.action", "event.category"]
},
"allow_lazy_open": true,
"analysis_limits": {
"model_memory_limit": "128mb"
},
"data_description": {
"time_field": "@timestamp"
},
"custom_settings": {
"created_by": "ml-module-security-host",
"security_app_display_name": "Spike in the Host Traffic",
"managed": true,
"job_revision": 1
}
}
29 changes: 29 additions & 0 deletions ...ver/models/data_recognizer/modules/security_host/ml/low_count_events_for_a_host_name.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
{
"description": "Security: Host - Looks for a sudden drop in host based traffic. This can be due to a range of security issues, such as a compromised system, a failed service, or a network misconfiguration.",
"groups": ["security", "host"],
"analysis_config": {
"bucket_span": "3h",
"detectors": [
{
"detector_description": "Detects low count of host based events.",
peteharverson marked this conversation as resolved.
Show resolved Hide resolved
"function": "low_count",
"partition_field_name": "host.name",
"detector_index": 0
}
],
"influencers": ["host.name", "host.ip", "event.dataset", "event.action", "event.category"]
},
"allow_lazy_open": true,
"analysis_limits": {
"model_memory_limit": "128mb"
},
"data_description": {
"time_field": "@timestamp"
},
"custom_settings": {
"created_by": "ml-module-security-host",
"security_app_display_name": "Decrease in the Host Traffic",
"managed": true,
"job_revision": 1
}
}