From 8259917826cfc30ff5707ac00d73ab676a2f9659 Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Fri, 20 Feb 2026 14:21:06 -0600 Subject: [PATCH] SecML EUID testing --- .../transform/pivot_transform/transform.yml | 98 - .../fields/fields.yml | 4 + .../pivot_transform_euid/transform.yml | 173 + packages/ded/kibana/ml_module/ded-ml.json | 1146 ++-- packages/dga/kibana/ml_module/dga-ml.json | 224 +- .../transform/pivot_transform/transform.yml | 81 - .../fields/fields.yml | 6 +- .../pivot_transform_euid/transform.yml | 135 + packages/lmd/kibana/ml_module/lmd-ml.json | 1848 +++---- .../fields/fields.yml | 6 +- .../transform.yml | 129 + .../transform.yml | 65 - packages/pad/kibana/ml_module/pad-ml.json | 4717 +++++++++-------- .../kibana/ml_module/problemchild-ml.json | 1164 ++-- 14 files changed, 5196 insertions(+), 4600 deletions(-) delete mode 100644 packages/ded/elasticsearch/transform/pivot_transform/transform.yml rename packages/ded/elasticsearch/transform/{pivot_transform => pivot_transform_euid}/fields/fields.yml (86%) create mode 100644 packages/ded/elasticsearch/transform/pivot_transform_euid/transform.yml delete mode 100644 packages/lmd/elasticsearch/transform/pivot_transform/transform.yml rename packages/lmd/elasticsearch/transform/{pivot_transform => pivot_transform_euid}/fields/fields.yml (78%) create mode 100644 packages/lmd/elasticsearch/transform/pivot_transform_euid/transform.yml rename packages/pad/elasticsearch/transform/{pivot_transform_windows_privilege_list => pivot_transform_win_privilege_list_euid}/fields/fields.yml (66%) create mode 100644 packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_euid/transform.yml delete mode 100644 packages/pad/elasticsearch/transform/pivot_transform_windows_privilege_list/transform.yml diff --git a/packages/ded/elasticsearch/transform/pivot_transform/transform.yml b/packages/ded/elasticsearch/transform/pivot_transform/transform.yml deleted file mode 100644 index f4a2aa81aa8..00000000000 --- a/packages/ded/elasticsearch/transform/pivot_transform/transform.yml +++ /dev/null @@ -1,98 +0,0 @@ - -dest: - index: ml_network_ded-2.4.1 - aliases: - - alias: ml_network_ded.latest - move_on_creation: true - - alias: ml_network_ded.all - move_on_creation: false - pipeline: 2.4.1-ml_ded_ingest_pipeline -description: This transform runs every 30 minutes and collects network logs to detect data exfiltration in your environment for the past month up to the runtime. -frequency: 30m -pivot: - aggregations: - "@timestamp": - max: - field: "@timestamp" - avg_source_bytes: - avg: - field: source.bytes - group_by: - 'host.name': - terms: - field: host.name - 'user.name': - terms: - field: user.name - 'network.direction': - terms: - field: network.direction - 'event.category': - terms: - field: event.category - 'source.ip': - terms: - field: source.ip - 'destination.ip': - terms: - field: destination.ip - 'destination.port': - terms: - field: destination.port - 'destination.geo.continent_name': - terms: - field: destination.geo.continent_name - 'destination.geo.country_name': - terms: - field: destination.geo.country_name - 'destination.geo.country_iso_code': - terms: - field: destination.geo.country_iso_code - 'destination.geo.region_name': - terms: - field: destination.geo.region_name - 'destination.geo.city_name': - terms: - field: destination.geo.city_name - 'process.name': - terms: - field: process.name -source: - index: logs-* - query: - bool: - filter: - - range: - '@timestamp': - gte: now-1M - - term: - 'event.category': - value: network - - exists: - field: source.bytes - - exists: - field: destination.port - - terms: - 'source.ip': ["192.168.0.0/16","10.0.0.0/8","172.16.0.0/12"] - must_not: - - term: - 'source.bytes': - value: 0 - - term: - 'host.os.type': - value: "macos" - - terms: - '_tier': [ "data_cold", "data_frozen" ] - - terms: - 'network.direction': [ "internal","inbound" ] - - terms: - 'process.name': [ "elastic-agent.exe","elastic-agent","metricbeat.exe","metricbeat","filebeat.exe","filebeat","packetbeat.exe","packetbeat","winlogbeat.exe","winlogbeat" ] - - terms: - 'destination.ip': [ "0.0.0.0/8","10.0.0.0/8", "100.64.0.0/10","127.0.0.0/8","169.254.0.0/16","172.16.0.0/12","192.0.0.0/24","192.0.2.0/24","192.88.99.0/24","192.168.0.0/16","198.18.0.0/15","198.51.100.0/24","203.0.113.0/24","224.0.0.0/4","233.252.0.0/24","240.0.0.0/4","255.255.255.255/32" ] -sync: - time: - delay: 120s - field: "@timestamp" -_meta: - fleet_transform_version: 2.4.1 - run_as_kibana_system: false diff --git a/packages/ded/elasticsearch/transform/pivot_transform/fields/fields.yml b/packages/ded/elasticsearch/transform/pivot_transform_euid/fields/fields.yml similarity index 86% rename from packages/ded/elasticsearch/transform/pivot_transform/fields/fields.yml rename to packages/ded/elasticsearch/transform/pivot_transform_euid/fields/fields.yml index 7a22b3eef3a..aeda1f9c16a 100644 --- a/packages/ded/elasticsearch/transform/pivot_transform/fields/fields.yml +++ b/packages/ded/elasticsearch/transform/pivot_transform_euid/fields/fields.yml @@ -28,3 +28,7 @@ name: destination.geo.region_name - external: ecs name: destination.geo.city_name +- name: user.entity.id_computed + type: keyword +- name: host.entity.id_computed + type: keyword diff --git a/packages/ded/elasticsearch/transform/pivot_transform_euid/transform.yml b/packages/ded/elasticsearch/transform/pivot_transform_euid/transform.yml new file mode 100644 index 00000000000..4ccb744a9fd --- /dev/null +++ b/packages/ded/elasticsearch/transform/pivot_transform_euid/transform.yml @@ -0,0 +1,173 @@ +dest: + index: ml_network_ded-2.4.1 + aliases: + - alias: ml_network_ded.latest + move_on_creation: true + - alias: ml_network_ded.all + move_on_creation: false + pipeline: 2.4.1-ml_ded_ingest_pipeline +description: This transform runs every 30 minutes and collects network logs to detect + data exfiltration in your environment for the past month up to the runtime. +frequency: 30m +pivot: + aggregations: + '@timestamp': + max: + field: '@timestamp' + avg_source_bytes: + avg: + field: source.bytes + group_by: + host.entity.id_computed: + terms: + field: host.entity.id_computed + host.name: + terms: + field: host.name + user.entity.id_computed: + terms: + field: user.entity.id_computed + user.name: + terms: + field: user.name + network.direction: + terms: + field: network.direction + event.category: + terms: + field: event.category + source.ip: + terms: + field: source.ip + destination.ip: + terms: + field: destination.ip + destination.port: + terms: + field: destination.port + destination.geo.continent_name: + terms: + field: destination.geo.continent_name + destination.geo.country_name: + terms: + field: destination.geo.country_name + destination.geo.country_iso_code: + terms: + field: destination.geo.country_iso_code + destination.geo.region_name: + terms: + field: destination.geo.region_name + destination.geo.city_name: + terms: + field: destination.geo.city_name + process.name: + terms: + field: process.name +source: + index: logs-* + query: + bool: + filter: + - range: + '@timestamp': + gte: now-1M + - term: + event.category: + value: network + - exists: + field: source.bytes + - exists: + field: destination.port + - terms: + source.ip: + - 192.168.0.0/16 + - 10.0.0.0/8 + - 172.16.0.0/12 + must_not: + - term: + source.bytes: + value: 0 + - term: + host.os.type: + value: macos + - terms: + _tier: + - data_cold + - data_frozen + - terms: + network.direction: + - internal + - inbound + - terms: + process.name: + - elastic-agent.exe + - elastic-agent + - metricbeat.exe + - metricbeat + - filebeat.exe + - filebeat + - packetbeat.exe + - packetbeat + - winlogbeat.exe + - winlogbeat + - terms: + destination.ip: + - 0.0.0.0/8 + - 10.0.0.0/8 + - 100.64.0.0/10 + - 127.0.0.0/8 + - 169.254.0.0/16 + - 172.16.0.0/12 + - 192.0.0.0/24 + - 192.0.2.0/24 + - 192.88.99.0/24 + - 192.168.0.0/16 + - 198.18.0.0/15 + - 198.51.100.0/24 + - 203.0.113.0/24 + - 224.0.0.0/4 + - 233.252.0.0/24 + - 240.0.0.0/4 + - 255.255.255.255/32 + runtime_mappings: + user.entity.id_computed: + type: keyword + script: + source: "String read(def doc, String field) {\n if (!doc.containsKey(field))\ + \ return null;\n def dv = doc[field];\n if (dv == null || dv.size() ==\ + \ 0) return null;\n String v = dv.value.toString();\n String l = v.toLowerCase();\n\ + \ if (l == '' || l == '-' || l == 'unknown' || l == 'n/a') return null;\n\ + \ return v;\n}\n\nString ueid = read(doc, 'user.entity.id');\nif (ueid\ + \ != null) { emit(ueid); return; }\n\nString uname = read(doc, 'user.name');\n\ + String heid = read(doc, 'host.entity.id');\nif (uname != null && heid !=\ + \ null) { emit(uname + '@' + heid); return; }\n\nString hid = read(doc,\ + \ 'host.id');\nif (uname != null && hid != null) { emit(uname + '@' + hid);\ + \ return; }\n\nString hname = read(doc, 'host.name');\nif (uname != null\ + \ && hname != null) { emit(uname + '@' + hname); return; }\n\nString uid\ + \ = read(doc, 'user.id');\nif (uid != null) { emit(uid); return; }\n\nString\ + \ email = read(doc, 'user.email');\nif (email != null) { emit(email); return;\ + \ }\n\nString udom = read(doc, 'user.domain');\nif (uname != null && udom\ + \ != null) { emit(uname + '@' + udom); return; }\n\nif (uname != null) {\ + \ emit(uname); return; }" + host.entity.id_computed: + type: keyword + script: + source: "String read(def doc, String field) {\n if (!doc.containsKey(field))\ + \ return null;\n def dv = doc[field];\n if (dv == null || dv.size() ==\ + \ 0) return null;\n String v = dv.value.toString();\n String l = v.toLowerCase();\n\ + \ if (l == '' || l == '-' || l == 'unknown' || l == 'n/a') return null;\n\ + \ return v;\n}\n\nString heid = read(doc, 'host.entity.id');\nif (heid\ + \ != null) { emit(heid); return; }\n\nString hid = read(doc, 'host.id');\n\ + if (hid != null) { emit(hid); return; }\n\nString hname = read(doc, 'host.name');\n\ + String hdom = read(doc, 'host.domain');\nif (hname != null && hdom != null)\ + \ { emit(hname + '.' + hdom); return; }\n\nString hhostname = read(doc,\ + \ 'host.hostname');\nif (hhostname != null && hdom != null) { emit(hhostname\ + \ + '.' + hdom); return; }\n\nif (hhostname != null) { emit(hhostname);\ + \ return; }\nif (hname != null) { emit(hname); return; }" +sync: + time: + delay: 120s + field: '@timestamp' +_meta: + fleet_transform_version: 2.4.1 + run_as_kibana_system: false diff --git a/packages/ded/kibana/ml_module/ded-ml.json b/packages/ded/kibana/ml_module/ded-ml.json index 87abed1e946..ebc4f7c0321 100644 --- a/packages/ded/kibana/ml_module/ded-ml.json +++ b/packages/ded/kibana/ml_module/ded-ml.json @@ -1,565 +1,615 @@ { - "attributes": { - "id": "ded-ml", - "title": "Data Exfiltration Detection", - "description": "Detects data exfiltration activity in your network and file data.", - "type": "ded", - "logo": { - "icon": "machineLearningApp" - }, - "query": { + "attributes": { + "id": "ded-ml", + "title": "Data Exfiltration Detection", + "description": "Detects data exfiltration activity in your network and file data.", + "type": "ded", + "logo": { + "icon": "machineLearningApp" + }, + "query": { + "bool": { + "should": [ + { + "term": { + "event.category": "file" + } + }, + { "bool": { - "should": [ - { - "term": { - "event.category": "file" - } - }, - { - "bool": { - "filter": [ - { - "term": { - "event.category": "network" - } - }, - { - "exists": { - "field": "source.bytes" - } - }, - { - "exists": { - "field": "destination" - } - } - ] - } - } - ], - "must_not": { - "terms": { - "_tier": [ - "data_frozen", - "data_cold" - ] - } + "filter": [ + { + "term": { + "event.category": "network" + } + }, + { + "exists": { + "field": "source.bytes" + } + }, + { + "exists": { + "field": "destination" + } } + ] } - }, - "jobs": [ - { - "id": "ded_high_sent_bytes_destination_geo_country_iso_code", - "config": { - "groups": [ - "security", - "data_exfiltration" - ], - "description": "Detects data exfiltration to an unusual geo-location (by country iso code).", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High bytes sent to an unusual country iso code", - "function": "high_sum", - "field_name": "source.bytes", - "over_field_name": "destination.geo.country_iso_code", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "process.name", - "source.ip", - "destination.ip", - "destination.geo.continent_name", - "destination.geo.country_name", - "destination.geo.country_iso_code" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-ded" - } - } - }, - { - "id": "ded_high_sent_bytes_destination_ip", - "config": { - "groups": [ - "security", - "data_exfiltration" - ], - "description": "Detects data exfiltration to an unusual geo-location (by IP address).", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High bytes sent to an unusual IP address", - "function": "high_sum", - "field_name": "source.bytes", - "over_field_name": "destination.ip", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "process.name", - "source.ip", - "destination.ip" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-ded" - } - } - }, - { - "id": "ded_high_sent_bytes_destination_port", - "config": { - "groups": [ - "security", - "data_exfiltration" - ], - "description": "Detects data exfiltration to an unusual destination port.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High bytes sent to an unusual destination port", - "function": "high_sum", - "field_name": "source.bytes", - "over_field_name": "destination.port", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "process.name", - "source.ip", - "destination.ip", - "destination.port" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-ded" - } - } - }, - { - "id": "ded_high_sent_bytes_destination_region_name", - "config": { - "groups": [ - "security", - "data_exfiltration" - ], - "description": "Detects data exfiltration to an unusual geo-location (by region name).", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High bytes sent to an unusual region", - "function": "high_sum", - "field_name": "source.bytes", - "over_field_name": "destination.geo.region_name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "process.name", - "source.ip", - "destination.ip", - "destination.geo.city_name", - "destination.geo.region_name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-ded" - } - } - }, - { - "id": "ded_high_bytes_written_to_external_device", - "config": { - "groups": [ - "security", - "data_exfiltration" - ], - "description": "Detects data exfiltration activity by identifying high bytes written to an external device.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "High bytes written to an external device", - "function": "high_sum", - "field_name": "file.size", - "partition_field_name": "host.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "file.name", - "file.path", - "file.Ext.device.bus_type", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-ded" - } - } - }, - { - "id": "ded_rare_process_writing_to_external_device", - "config": { - "groups": [ - "security", - "data_exfiltration" - ], - "description": "Detects data exfiltration activity by identifying a file write started by a rare process to an external device.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare process writing to an external device", - "function": "rare", - "by_field_name": "process.name", - "partition_field_name": "host.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "file.name", - "file.path", - "file.Ext.device.bus_type", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-ded" - } - } - }, - { - "id": "ded_high_bytes_written_to_external_device_airdrop", - "config": { - "groups": [ - "security", - "data_exfiltration" - ], - "description": "Detects data exfiltration activity by identifying high bytes written to an external device via Airdrop.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "High bytes written to an external device using Airdrop", - "function": "high_sum", - "field_name": "file.size", - "partition_field_name": "host.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "file.name", - "file.path", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-ded" - } + } + ], + "must_not": { + "terms": { + "_tier": [ + "data_frozen", + "data_cold" + ] + } + } + } + }, + "jobs": [ + { + "id": "ded_high_sent_bytes_destination_geo_country_iso_code_euid", + "config": { + "groups": [ + "security", + "data_exfiltration" + ], + "description": "Detects data exfiltration to an unusual geo-location (by country iso code).", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High bytes sent to an unusual country iso code", + "function": "high_sum", + "field_name": "source.bytes", + "over_field_name": "destination.geo.country_iso_code", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "process.name", + "source.ip", + "destination.ip", + "destination.geo.continent_name", + "destination.geo.country_name", + "destination.geo.country_iso_code", + "user.name", + "host.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-ded" + } + } + }, + { + "id": "ded_high_sent_bytes_destination_ip_euid", + "config": { + "groups": [ + "security", + "data_exfiltration" + ], + "description": "Detects data exfiltration to an unusual geo-location (by IP address).", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High bytes sent to an unusual IP address", + "function": "high_sum", + "field_name": "source.bytes", + "over_field_name": "destination.ip", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "process.name", + "source.ip", + "destination.ip", + "user.name", + "host.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-ded" + } + } + }, + { + "id": "ded_high_sent_bytes_destination_port_euid", + "config": { + "groups": [ + "security", + "data_exfiltration" + ], + "description": "Detects data exfiltration to an unusual destination port.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High bytes sent to an unusual destination port", + "function": "high_sum", + "field_name": "source.bytes", + "over_field_name": "destination.port", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "process.name", + "source.ip", + "destination.ip", + "destination.port", + "user.name", + "host.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-ded" + } + } + }, + { + "id": "ded_high_sent_bytes_destination_region_name_euid", + "config": { + "groups": [ + "security", + "data_exfiltration" + ], + "description": "Detects data exfiltration to an unusual geo-location (by region name).", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High bytes sent to an unusual region", + "function": "high_sum", + "field_name": "source.bytes", + "over_field_name": "destination.geo.region_name", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "process.name", + "source.ip", + "destination.ip", + "destination.geo.city_name", + "destination.geo.region_name", + "user.name", + "host.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-ded" + } + } + }, + { + "id": "ded_high_bytes_written_to_external_device_euid", + "config": { + "groups": [ + "security", + "data_exfiltration" + ], + "description": "Detects data exfiltration activity by identifying high bytes written to an external device.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "High bytes written to an external device", + "function": "high_sum", + "field_name": "file.size", + "partition_field_name": "host.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "file.name", + "file.path", + "file.Ext.device.bus_type", + "process.name", + "user.name", + "host.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-ded" + } + } + }, + { + "id": "ded_rare_process_writing_to_external_device_euid", + "config": { + "groups": [ + "security", + "data_exfiltration" + ], + "description": "Detects data exfiltration activity by identifying a file write started by a rare process to an external device.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare process writing to an external device", + "function": "rare", + "by_field_name": "process.name", + "partition_field_name": "host.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "file.name", + "file.path", + "file.Ext.device.bus_type", + "process.name", + "user.name", + "host.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-ded" + } + } + }, + { + "id": "ded_high_bytes_written_to_external_device_airdrop_euid", + "config": { + "groups": [ + "security", + "data_exfiltration" + ], + "description": "Detects data exfiltration activity by identifying high bytes written to an external device via Airdrop.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "High bytes written to an external device using Airdrop", + "function": "high_sum", + "field_name": "file.size", + "partition_field_name": "host.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "file.name", + "file.path", + "process.name", + "user.name", + "host.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-ded" + } + } + } + ], + "datafeeds": [ + { + "id": "datafeed-ded_high_sent_bytes_destination_geo_country_iso_code_euid", + "job_id": "ded_high_sent_bytes_destination_geo_country_iso_code_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ded_high_sent_bytes_destination_geo_country_iso_code_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "network" + } + }, + { + "exists": { + "field": "source.bytes" + } + }, + { + "exists": { + "field": "destination.port" + } } + ] } - ], - "datafeeds": [ - { - "id": "datafeed-ded_high_sent_bytes_destination_geo_country_iso_code", - "job_id": "ded_high_sent_bytes_destination_geo_country_iso_code", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "ded_high_sent_bytes_destination_geo_country_iso_code", - "query": { - "bool": { - "filter": [ - { - "term": { - "event.category": "network" - } - }, - { - "exists": { - "field": "source.bytes" - } - }, - { - "exists": { - "field": "destination.port" - } - } - ] - } - } + } + } + }, + { + "id": "datafeed-ded_high_sent_bytes_destination_ip_euid", + "job_id": "ded_high_sent_bytes_destination_ip_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ded_high_sent_bytes_destination_ip_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "network" + } + }, + { + "exists": { + "field": "source.bytes" + } + }, + { + "exists": { + "field": "destination.port" + } } - }, - { - "id": "datafeed-ded_high_sent_bytes_destination_ip", - "job_id": "ded_high_sent_bytes_destination_ip", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "ded_high_sent_bytes_destination_ip", - "query": { - "bool": { - "filter": [ - { - "term": { - "event.category": "network" - } - }, - { - "exists": { - "field": "source.bytes" - } - }, - { - "exists": { - "field": "destination.port" - } - } - ] - } - } + ] + } + } + } + }, + { + "id": "datafeed-ded_high_sent_bytes_destination_port_euid", + "job_id": "ded_high_sent_bytes_destination_port_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ded_high_sent_bytes_destination_port_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "network" + } + }, + { + "exists": { + "field": "source.bytes" + } + }, + { + "exists": { + "field": "destination.port" + } } - }, - { - "id": "datafeed-ded_high_sent_bytes_destination_port", - "job_id": "ded_high_sent_bytes_destination_port", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "ded_high_sent_bytes_destination_port", - "query": { - "bool": { - "filter": [ - { - "term": { - "event.category": "network" - } - }, - { - "exists": { - "field": "source.bytes" - } - }, - { - "exists": { - "field": "destination.port" - } - } - ] - } - } + ] + } + } + } + }, + { + "id": "datafeed-ded_high_sent_bytes_destination_region_name_euid", + "job_id": "ded_high_sent_bytes_destination_region_name_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ded_high_sent_bytes_destination_region_name_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "network" + } + }, + { + "exists": { + "field": "source.bytes" + } + }, + { + "exists": { + "field": "destination.port" + } } - }, - { - "id": "datafeed-ded_high_sent_bytes_destination_region_name", - "job_id": "ded_high_sent_bytes_destination_region_name", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "ded_high_sent_bytes_destination_region_name", - "query": { - "bool": { - "filter": [ - { - "term": { - "event.category": "network" - } - }, - { - "exists": { - "field": "source.bytes" - } - }, - { - "exists": { - "field": "destination.port" - } - } - ] - } - } + ] + } + } + } + }, + { + "id": "datafeed-ded_high_bytes_written_to_external_device_euid", + "job_id": "ded_high_bytes_written_to_external_device_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ded_high_bytes_written_to_external_device_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "host.os.type": "windows" + } + }, + { + "exists": { + "field": "file.Ext.device.bus_type" + } + }, + { + "terms": { + "event.action": [ + "creation", + "overwrite", + "modification" + ] + } } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } }, - { - "id": "datafeed-ded_high_bytes_written_to_external_device", - "job_id": "ded_high_bytes_written_to_external_device", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "ded_high_bytes_written_to_external_device", - "query": { - "bool": { - "filter": [ - { - "term": { - "event.category": "file" - } - }, - { - "term": { - "host.os.type": "windows" - } - }, - { - "exists": { - "field": "file.Ext.device.bus_type" - } - }, - { - "terms": { - "event.action": [ - "creation", - "overwrite", - "modification" - ] - } - } - ] - } - } + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + }, + { + "id": "datafeed-ded_rare_process_writing_to_external_device_euid", + "job_id": "ded_rare_process_writing_to_external_device_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ded_rare_process_writing_to_external_device_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "host.os.type": "windows" + } + }, + { + "exists": { + "field": "file.Ext.device.bus_type" + } + }, + { + "terms": { + "event.action": [ + "creation", + "overwrite", + "modification" + ] + } } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } }, - { - "id": "datafeed-ded_rare_process_writing_to_external_device", - "job_id": "ded_rare_process_writing_to_external_device", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "ded_rare_process_writing_to_external_device", - "query": { - "bool": { - "filter": [ - { - "term": { - "event.category": "file" - } - }, - { - "term": { - "host.os.type": "windows" - } - }, - { - "exists": { - "field": "file.Ext.device.bus_type" - } - }, - { - "terms": { - "event.action": [ - "creation", - "overwrite", - "modification" - ] - } - } - ] - } - } + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + }, + { + "id": "datafeed-ded_high_bytes_written_to_external_device_airdrop_euid", + "job_id": "ded_high_bytes_written_to_external_device_airdrop_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ded_high_bytes_written_to_external_device_airdrop_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "process.name": "sharingd" + } + }, + { + "term": { + "host.os.type": "macos" + } + }, + { + "terms": { + "event.action": [ + "creation", + "overwrite", + "modification" + ] + } } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } }, - { - "id": "datafeed-ded_high_bytes_written_to_external_device_airdrop", - "job_id": "ded_high_bytes_written_to_external_device_airdrop", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "ded_high_bytes_written_to_external_device_airdrop", - "query": { - "bool": { - "filter": [ - { - "term": { - "event.category": "file" - } - }, - { - "term": { - "process.name": "sharingd" - } - }, - { - "term": { - "host.os.type": "macos" - } - }, - { - "terms": { - "event.action": [ - "creation", - "overwrite", - "modification" - ] - } - } - ] - } - } - } + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } } - ] - }, - "id": "ded-ml", - "migrationVersion": { - "search": "7.16.0" - }, - "references": [], - "type": "ml-module" + } + } + } + ] + }, + "id": "ded-ml", + "migrationVersion": { + "search": "7.16.0" + }, + "references": [], + "type": "ml-module" } diff --git a/packages/dga/kibana/ml_module/dga-ml.json b/packages/dga/kibana/ml_module/dga-ml.json index d964bfa283c..4707e1899a9 100644 --- a/packages/dga/kibana/ml_module/dga-ml.json +++ b/packages/dga/kibana/ml_module/dga-ml.json @@ -1,114 +1,122 @@ { - "attributes": { - "id": "dga-ml", - "title": "DGA", - "description": "Detect domain generation algorithm (DGA) activity in your network data.", - "type": "DGA", - "logo": { - "icon": "machineLearningApp" - }, - "query": { + "attributes": { + "id": "dga-ml", + "title": "DGA", + "description": "Detect domain generation algorithm (DGA) activity in your network data.", + "type": "DGA", + "logo": { + "icon": "machineLearningApp" + }, + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "ml_is_dga.malicious_probability" + } + } + ], + "must_not": { + "terms": { + "_tier": [ + "data_frozen", + "data_cold" + ] + } + } + } + }, + "jobs": [ + { + "id": "dga_high_sum_probability_euid", + "config": { + "groups": [ + "security", + "dga" + ], + "description": "Detects potential DGA (domain generation algorithm) activity that is often used by malware command and control (C2) channels. Looks for a source IP address making DNS requests that have an aggregate high probability of being DGA activity.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "high probability of DGA activity", + "detector_index": 0, + "field_name": "ml_is_dga.malicious_probability", + "function": "high_sum", + "over_field_name": "source.ip" + } + ], + "influencers": [ + "source.ip", + "host.entity.id_computed", + "host.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-dga" + } + } + } + ], + "datafeeds": [ + { + "id": "datafeed-dga_high_sum_probability_euid", + "job_id": "dga_high_sum_probability_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "dga_high_sum_probability_euid", + "query": { "bool": { - "filter": [ - { - "exists": { - "field": "ml_is_dga.malicious_probability" - } - } - ], - "must_not": { - "terms": { - "_tier": [ - "data_frozen", - "data_cold" - ] - } + "filter": [ + { + "exists": { + "field": "ml_is_dga.malicious_probability" + } } - } - }, - "jobs": [ - { - "id": "dga_high_sum_probability", - "config": { - "groups": [ - "security", - "dga" - ], - "description": "Detects potential DGA (domain generation algorithm) activity that is often used by malware command and control (C2) channels. Looks for a source IP address making DNS requests that have an aggregate high probability of being DGA activity.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "detector_description": "high probability of DGA activity", - "detector_index": 0, - "field_name": "ml_is_dga.malicious_probability", - "function": "high_sum", - "over_field_name": "source.ip" - } - ], - "influencers": [ - "source.ip", - "host.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-dga" - } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "elastic-endpoint.exe", + "elastic-endpoint", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } } + ] } - ], - "datafeeds": [ - { - "id": "datafeed-dga_high_sum_probability", - "job_id": "dga_high_sum_probability", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "dga_high_sum_probability", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "ml_is_dga.malicious_probability" - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "elastic-endpoint.exe", - "elastic-endpoint", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - } - } + }, + "script_fields": { + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } } - ] - }, - "id": "dga-ml", - "migrationVersion": { - "search": "7.16.0" - }, - "references": [], - "type": "ml-module" -} \ No newline at end of file + } + } + } + ] + }, + "id": "dga-ml", + "migrationVersion": { + "search": "7.16.0" + }, + "references": [], + "type": "ml-module" +} diff --git a/packages/lmd/elasticsearch/transform/pivot_transform/transform.yml b/packages/lmd/elasticsearch/transform/pivot_transform/transform.yml deleted file mode 100644 index 4ac6268cc9e..00000000000 --- a/packages/lmd/elasticsearch/transform/pivot_transform/transform.yml +++ /dev/null @@ -1,81 +0,0 @@ -source: - index: "logs-*" - query: - bool: - must_not: - - term: - 'user.name': - value: system - - terms: - 'process.name': [ "elastic-agent.exe","elastic-agent","elastic-endpoint.exe","elastic-endpoint","metricbeat.exe","metricbeat","filebeat.exe","filebeat","packetbeat.exe","packetbeat","winlogbeat.exe","winlogbeat" ] - - terms: - '_tier': [ "data_cold", "data_frozen" ] - filter: - - exists: - field: process.Ext.session_info.client_address - - exists: - field: process.Ext.authentication_id - - exists: - field: host.ip - - term: - 'event.category': - value: process - - term: - 'process.Ext.session_info.logon_type': - value: RemoteInteractive - runtime_mappings: - 'destination.ip': - type: ip - script: - source: "if (doc['host.ip'].size() != 0){emit(doc['host.ip'][0]);}" -dest: - index: "ml-rdp-lmd" -description: This transform runs hourly and collects windows RDP session information for Lateral Movement Detection package. -frequency: 1h -pivot: - aggregations: - number_processes_per_session: - value_count: - field: process.name - total_length_process_args: - sum: - field: process.args_count - session.start_time: - min: - field: '@timestamp' - session.complete_time: - max: - field: '@timestamp' - session.duration: - bucket_script: - buckets_path: - start_time: session.start_time.value - complete_time: session.complete_time.value - script: Math.round((params.complete_time - params.start_time)/1000) - group_by: - 'host.name': - terms: - field: host.name - 'destination.ip': - terms: - field: destination.ip - 'user.name': - terms: - field: user.name - 'source.ip': - terms: - field: process.Ext.session_info.client_address - 'process.Ext.authentication_id': - terms: - field: process.Ext.authentication_id -settings: - # This is required to prevent the transform from clobbering the Fleet-managed mappings. - deduce_mappings: false - unattended: true -sync: - time: - delay: 60s - field: '@timestamp' -_meta: - fleet_transform_version: 2.6.0 - run_as_kibana_system: false diff --git a/packages/lmd/elasticsearch/transform/pivot_transform/fields/fields.yml b/packages/lmd/elasticsearch/transform/pivot_transform_euid/fields/fields.yml similarity index 78% rename from packages/lmd/elasticsearch/transform/pivot_transform/fields/fields.yml rename to packages/lmd/elasticsearch/transform/pivot_transform_euid/fields/fields.yml index b9902f5cfe8..4be22073790 100644 --- a/packages/lmd/elasticsearch/transform/pivot_transform/fields/fields.yml +++ b/packages/lmd/elasticsearch/transform/pivot_transform_euid/fields/fields.yml @@ -17,4 +17,8 @@ - name: session.duration type: float - name: total_length_process_args - type: double \ No newline at end of file + type: double +- name: user.entity.id_computed + type: keyword +- name: host.entity.id_computed + type: keyword diff --git a/packages/lmd/elasticsearch/transform/pivot_transform_euid/transform.yml b/packages/lmd/elasticsearch/transform/pivot_transform_euid/transform.yml new file mode 100644 index 00000000000..e63e4329e9b --- /dev/null +++ b/packages/lmd/elasticsearch/transform/pivot_transform_euid/transform.yml @@ -0,0 +1,135 @@ +source: + index: logs-* + query: + bool: + must_not: + - term: + user.name: + value: system + - terms: + process.name: + - elastic-agent.exe + - elastic-agent + - elastic-endpoint.exe + - elastic-endpoint + - metricbeat.exe + - metricbeat + - filebeat.exe + - filebeat + - packetbeat.exe + - packetbeat + - winlogbeat.exe + - winlogbeat + - terms: + _tier: + - data_cold + - data_frozen + filter: + - exists: + field: process.Ext.session_info.client_address + - exists: + field: process.Ext.authentication_id + - exists: + field: host.ip + - term: + event.category: + value: process + - term: + process.Ext.session_info.logon_type: + value: RemoteInteractive + runtime_mappings: + destination.ip: + type: ip + script: + source: if (doc['host.ip'].size() != 0){emit(doc['host.ip'][0]);} + user.entity.id_computed: + type: keyword + script: + source: "String read(def doc, String field) {\n if (!doc.containsKey(field))\ + \ return null;\n def dv = doc[field];\n if (dv == null || dv.size() ==\ + \ 0) return null;\n String v = dv.value.toString();\n String l = v.toLowerCase();\n\ + \ if (l == '' || l == '-' || l == 'unknown' || l == 'n/a') return null;\n\ + \ return v;\n}\n\nString ueid = read(doc, 'user.entity.id');\nif (ueid\ + \ != null) { emit(ueid); return; }\n\nString uname = read(doc, 'user.name');\n\ + String heid = read(doc, 'host.entity.id');\nif (uname != null && heid !=\ + \ null) { emit(uname + '@' + heid); return; }\n\nString hid = read(doc,\ + \ 'host.id');\nif (uname != null && hid != null) { emit(uname + '@' + hid);\ + \ return; }\n\nString hname = read(doc, 'host.name');\nif (uname != null\ + \ && hname != null) { emit(uname + '@' + hname); return; }\n\nString uid\ + \ = read(doc, 'user.id');\nif (uid != null) { emit(uid); return; }\n\nString\ + \ email = read(doc, 'user.email');\nif (email != null) { emit(email); return;\ + \ }\n\nString udom = read(doc, 'user.domain');\nif (uname != null && udom\ + \ != null) { emit(uname + '@' + udom); return; }\n\nif (uname != null) {\ + \ emit(uname); return; }" + host.entity.id_computed: + type: keyword + script: + source: "String read(def doc, String field) {\n if (!doc.containsKey(field))\ + \ return null;\n def dv = doc[field];\n if (dv == null || dv.size() ==\ + \ 0) return null;\n String v = dv.value.toString();\n String l = v.toLowerCase();\n\ + \ if (l == '' || l == '-' || l == 'unknown' || l == 'n/a') return null;\n\ + \ return v;\n}\n\nString heid = read(doc, 'host.entity.id');\nif (heid\ + \ != null) { emit(heid); return; }\n\nString hid = read(doc, 'host.id');\n\ + if (hid != null) { emit(hid); return; }\n\nString hname = read(doc, 'host.name');\n\ + String hdom = read(doc, 'host.domain');\nif (hname != null && hdom != null)\ + \ { emit(hname + '.' + hdom); return; }\n\nString hhostname = read(doc,\ + \ 'host.hostname');\nif (hhostname != null && hdom != null) { emit(hhostname\ + \ + '.' + hdom); return; }\n\nif (hhostname != null) { emit(hhostname);\ + \ return; }\nif (hname != null) { emit(hname); return; }" +dest: + index: ml-rdp-lmd +description: This transform runs hourly and collects windows RDP session information + for Lateral Movement Detection package. +frequency: 1h +pivot: + aggregations: + number_processes_per_session: + value_count: + field: process.name + total_length_process_args: + sum: + field: process.args_count + session.start_time: + min: + field: '@timestamp' + session.complete_time: + max: + field: '@timestamp' + session.duration: + bucket_script: + buckets_path: + start_time: session.start_time.value + complete_time: session.complete_time.value + script: Math.round((params.complete_time - params.start_time)/1000) + group_by: + host.entity.id_computed: + terms: + field: host.entity.id_computed + host.name: + terms: + field: host.name + destination.ip: + terms: + field: destination.ip + user.entity.id_computed: + terms: + field: user.entity.id_computed + user.name: + terms: + field: user.name + source.ip: + terms: + field: process.Ext.session_info.client_address + process.Ext.authentication_id: + terms: + field: process.Ext.authentication_id +settings: + deduce_mappings: false + unattended: true +sync: + time: + delay: 60s + field: '@timestamp' +_meta: + fleet_transform_version: 2.6.0 + run_as_kibana_system: false diff --git a/packages/lmd/kibana/ml_module/lmd-ml.json b/packages/lmd/kibana/ml_module/lmd-ml.json index 5cd9f2b19b0..190bf040d20 100644 --- a/packages/lmd/kibana/ml_module/lmd-ml.json +++ b/packages/lmd/kibana/ml_module/lmd-ml.json @@ -1,914 +1,984 @@ { - "attributes": { - "id": "lmd-ml", - "title": "Lateral Movement Detection", - "description": "Detects lateral movement activity by identifying malicious file transfers and suspicious RDP sessions in an environment.", - "type": "lmd", - "logo": { - "icon": "machineLearningApp" - }, - "query": { + "attributes": { + "id": "lmd-ml", + "title": "Lateral Movement Detection", + "description": "Detects lateral movement activity by identifying malicious file transfers and suspicious RDP sessions in an environment.", + "type": "lmd", + "logo": { + "icon": "machineLearningApp" + }, + "query": { + "bool": { + "should": [ + { + "term": { + "event.category": "file" + } + }, + { "bool": { - "should": [ - { - "term": { - "event.category": "file" - } - }, - { - "bool": { - "filter": [ - { - "exists": { - "field": "session.start_time" - } - } - ] - } - } - ], - "must_not": { - "terms": { - "_tier": [ - "data_frozen", - "data_cold" - ] - } + "filter": [ + { + "exists": { + "field": "session.start_time" + } } + ] } - }, - "jobs": [ - { - "id": "lmd_high_count_remote_file_transfer", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects unusually high file transfers to a remote host in the network.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "high_count by \"event.action\" partitionfield=\"host.name\"", - "function": "high_count", - "by_field_name": "event.action", - "partition_field_name": "host.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } - } - }, - { - "id": "lmd_high_file_size_remote_file_transfer", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects unusually high size of files shared with a remote host in the network.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "high_sum(\"file.size\") partitionfield=\"host.name\"", - "function": "high_sum", - "field_name": "file.size", - "partition_field_name": "host.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } - } - }, - { - "id": "lmd_rare_file_extension_remote_transfer", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects rare file extensions shared with a remote host in the network.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "detector_description": "rare by \"file.extension\" partitionfield=\"host.name\"", - "function": "rare", - "by_field_name": "file.extension", - "partition_field_name": "host.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "file.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } - } - }, - { - "id": "lmd_rare_file_path_remote_transfer", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects unusual folders and directories on which a file is transferred.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "detector_description": "rare by file_directory partitionfield=\"host.name\"", - "function": "rare", - "by_field_name": "file_directory", - "partition_field_name": "host.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "file.path" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } - } - }, - { - "id": "lmd_high_mean_rdp_session_duration", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects unusually high mean of RDP session duration.", - "analysis_config": { - "bucket_span": "6h", - "detectors": [ - { - "detector_description": "high_mean(session.duration) partitionfield=\"source.ip\"", - "function": "high_mean", - "field_name": "session.duration", - "partition_field_name": "source.ip", - "detector_index": 0 - }, - { - "detector_description": "high_mean(session.duration) partitionfield=\"destination.ip\"", - "function": "high_mean", - "field_name": "session.duration", - "partition_field_name": "destination.ip", - "detector_index": 1 - } - ], - "influencers": [ - "host.name", - "user.name", - "source.ip", - "destination.ip" - ] - }, - "data_description": { - "time_field": "session.start_time", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } - } - }, - { - "id": "lmd_high_var_rdp_session_duration", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects unusually high variance in RDP session duration.", - "analysis_config": { - "bucket_span": "6h", - "detectors": [ - { - "detector_description": "high_varp(session.duration) partitionfield=\"source.ip\"", - "function": "high_varp", - "field_name": "session.duration", - "partition_field_name": "source.ip", - "detector_index": 0 - }, - { - "detector_description": "high_varp(session.duration) partitionfield=\"destination.ip\"", - "function": "high_varp", - "field_name": "session.duration", - "partition_field_name": "destination.ip", - "detector_index": 1 - } - ], - "influencers": [ - "host.name", - "user.name", - "source.ip", - "destination.ip" - ] - }, - "data_description": { - "time_field": "session.start_time", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } + } + ], + "must_not": { + "terms": { + "_tier": [ + "data_frozen", + "data_cold" + ] + } + } + } + }, + "jobs": [ + { + "id": "lmd_high_count_remote_file_transfer_euid", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects unusually high file transfers to a remote host in the network.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "high_count by \"event.action\" partitionfield=\"host.name\"", + "function": "high_count", + "by_field_name": "event.action", + "partition_field_name": "host.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "process.name", + "user.name", + "host.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "lmd_high_file_size_remote_file_transfer_euid", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects unusually high size of files shared with a remote host in the network.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "high_sum(\"file.size\") partitionfield=\"host.name\"", + "function": "high_sum", + "field_name": "file.size", + "partition_field_name": "host.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "process.name", + "user.name", + "host.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "lmd_rare_file_extension_remote_transfer_euid", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects rare file extensions shared with a remote host in the network.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "rare by \"file.extension\" partitionfield=\"host.name\"", + "function": "rare", + "by_field_name": "file.extension", + "partition_field_name": "host.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "file.name", + "user.name", + "host.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "lmd_rare_file_path_remote_transfer_euid", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects unusual folders and directories on which a file is transferred.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "rare by file_directory partitionfield=\"host.name\"", + "function": "rare", + "by_field_name": "file_directory", + "partition_field_name": "host.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "file.path", + "user.name", + "host.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "lmd_high_mean_rdp_session_duration_euid", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects unusually high mean of RDP session duration.", + "analysis_config": { + "bucket_span": "6h", + "detectors": [ + { + "detector_description": "high_mean(session.duration) partitionfield=\"source.ip\"", + "function": "high_mean", + "field_name": "session.duration", + "partition_field_name": "source.ip", + "detector_index": 0 + }, + { + "detector_description": "high_mean(session.duration) partitionfield=\"destination.ip\"", + "function": "high_mean", + "field_name": "session.duration", + "partition_field_name": "destination.ip", + "detector_index": 1 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "source.ip", + "destination.ip", + "user.name", + "host.name" + ] + }, + "data_description": { + "time_field": "session.start_time", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "lmd_high_var_rdp_session_duration_euid", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects unusually high variance in RDP session duration.", + "analysis_config": { + "bucket_span": "6h", + "detectors": [ + { + "detector_description": "high_varp(session.duration) partitionfield=\"source.ip\"", + "function": "high_varp", + "field_name": "session.duration", + "partition_field_name": "source.ip", + "detector_index": 0 + }, + { + "detector_description": "high_varp(session.duration) partitionfield=\"destination.ip\"", + "function": "high_varp", + "field_name": "session.duration", + "partition_field_name": "destination.ip", + "detector_index": 1 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "source.ip", + "destination.ip", + "user.name", + "host.name" + ] + }, + "data_description": { + "time_field": "session.start_time", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "lmd_high_sum_rdp_number_of_processes_euid", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects unusually high number of processes started in a single RDP session.", + "analysis_config": { + "bucket_span": "6h", + "detectors": [ + { + "detector_description": "high_sum(number_processes_per_session) partitionfield=\"source.ip\"", + "function": "high_sum", + "field_name": "number_processes_per_session", + "partition_field_name": "source.ip", + "detector_index": 0 + }, + { + "detector_description": "high_sum(number_processes_per_session) partitionfield=\"destination.ip\"", + "function": "high_sum", + "field_name": "number_processes_per_session", + "partition_field_name": "destination.ip", + "detector_index": 1 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "source.ip", + "destination.ip", + "user.name", + "host.name" + ] + }, + "data_description": { + "time_field": "session.start_time", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "lmd_unusual_time_weekday_rdp_session_start_euid", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects an RDP session started at an usual time or weekday.", + "analysis_config": { + "bucket_span": "6h", + "detectors": [ + { + "detector_description": "time_of_week partitionfield=\"source.ip\"", + "function": "time_of_week", + "partition_field_name": "source.ip", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "destination.ip", + "source.ip", + "user.name", + "host.name" + ] + }, + "data_description": { + "time_field": "session.start_time", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "lmd_high_rdp_distinct_count_source_ip_for_destination_euid", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects a high count of source IPs making an RDP connection with a single destination IP.", + "analysis_config": { + "bucket_span": "6h", + "detectors": [ + { + "detector_description": "high_distinct_count(\"source.ip\") partitionfield=\"destination.ip\"", + "function": "high_distinct_count", + "field_name": "source.ip", + "partition_field_name": "destination.ip", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "destination.ip", + "user.name", + "host.name" + ] + }, + "data_description": { + "time_field": "session.start_time", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "lmd_high_rdp_distinct_count_destination_ip_for_source_euid", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects a high count of destination IPs establishing an RDP connection with a single source IP.", + "analysis_config": { + "bucket_span": "6h", + "detectors": [ + { + "detector_description": "high_distinct_count(\"destination.ip\") partitionfield=\"source.ip\"", + "function": "high_distinct_count", + "field_name": "destination.ip", + "partition_field_name": "source.ip", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "source.ip", + "user.name", + "host.name" + ] + }, + "data_description": { + "time_field": "session.start_time", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "lmd_high_mean_rdp_process_args_euid", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects unusually high number of process arguments in an RDP session.", + "analysis_config": { + "bucket_span": "6h", + "detectors": [ + { + "detector_description": "high_mean(total_length_process_args) partitionfield=\"source.ip\"", + "function": "high_mean", + "field_name": "total_length_process_args", + "partition_field_name": "source.ip", + "detector_index": 0 + }, + { + "detector_description": "high_mean(total_length_process_args) partitionfield=\"destination.ip\"", + "function": "high_mean", + "field_name": "total_length_process_args", + "partition_field_name": "destination.ip", + "detector_index": 1 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "source.ip", + "destination.ip", + "user.name", + "host.name" + ] + }, + "data_description": { + "time_field": "session.start_time", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + } + ], + "datafeeds": [ + { + "id": "datafeed-lmd_high_count_remote_file_transfer_euid", + "job_id": "lmd_high_count_remote_file_transfer_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_count_remote_file_transfer_euid", + "query": { + "bool": { + "must_not": [ + { + "terms": { + "user.name": [ + "SYSTEM", + "root" + ] + } } - }, - { - "id": "lmd_high_sum_rdp_number_of_processes", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects unusually high number of processes started in a single RDP session.", - "analysis_config": { - "bucket_span": "6h", - "detectors": [ - { - "detector_description": "high_sum(number_processes_per_session) partitionfield=\"source.ip\"", - "function": "high_sum", - "field_name": "number_processes_per_session", - "partition_field_name": "source.ip", - "detector_index": 0 - }, - { - "detector_description": "high_sum(number_processes_per_session) partitionfield=\"destination.ip\"", - "function": "high_sum", - "field_name": "number_processes_per_session", - "partition_field_name": "destination.ip", - "detector_index": 1 - } - ], - "influencers": [ - "host.name", - "user.name", - "source.ip", - "destination.ip" - ] - }, - "data_description": { - "time_field": "session.start_time", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } + ], + "filter": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "event.action": "creation" + } + }, + { + "terms": { + "process.name": [ + "System", + "scp", + "sshd", + "smbd", + "vsftpd", + "sftp-server" + ] + } + }, + { + "exists": { + "field": "process.name" + } + }, + { + "exists": { + "field": "file.name" + } } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } }, - { - "id": "lmd_unusual_time_weekday_rdp_session_start", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects an RDP session started at an usual time or weekday.", - "analysis_config": { - "bucket_span": "6h", - "detectors": [ - { - "detector_description": "time_of_week partitionfield=\"source.ip\"", - "function": "time_of_week", - "partition_field_name": "source.ip", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "destination.ip", - "source.ip" - ] - }, - "data_description": { - "time_field": "session.start_time", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + }, + { + "id": "datafeed-lmd_high_file_size_remote_file_transfer_euid", + "job_id": "lmd_high_file_size_remote_file_transfer_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_file_size_remote_file_transfer_euid", + "query": { + "bool": { + "must_not": [ + { + "terms": { + "user.name": [ + "SYSTEM", + "root" + ] + } } - }, - { - "id": "lmd_high_rdp_distinct_count_source_ip_for_destination", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects a high count of source IPs making an RDP connection with a single destination IP.", - "analysis_config": { - "bucket_span": "6h", - "detectors": [ - { - "detector_description": "high_distinct_count(\"source.ip\") partitionfield=\"destination.ip\"", - "function": "high_distinct_count", - "field_name": "source.ip", - "partition_field_name": "destination.ip", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "destination.ip" - ] - }, - "data_description": { - "time_field": "session.start_time", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } + ], + "filter": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "event.action": "creation" + } + }, + { + "terms": { + "process.name": [ + "System", + "scp", + "sshd", + "smbd", + "vsftpd", + "sftp-server" + ] + } + }, + { + "exists": { + "field": "process.name" + } + }, + { + "exists": { + "field": "file.name" + } } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } }, - { - "id": "lmd_high_rdp_distinct_count_destination_ip_for_source", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects a high count of destination IPs establishing an RDP connection with a single source IP.", - "analysis_config": { - "bucket_span": "6h", - "detectors": [ - { - "detector_description": "high_distinct_count(\"destination.ip\") partitionfield=\"source.ip\"", - "function": "high_distinct_count", - "field_name": "destination.ip", - "partition_field_name": "source.ip", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "source.ip" - ] - }, - "data_description": { - "time_field": "session.start_time", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + }, + { + "id": "datafeed-lmd_rare_file_extension_remote_transfer_euid", + "job_id": "lmd_rare_file_extension_remote_transfer_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_rare_file_extension_remote_transfer_euid", + "query": { + "bool": { + "must_not": [ + { + "terms": { + "user.name": [ + "SYSTEM", + "root" + ] + } } - }, - { - "id": "lmd_high_mean_rdp_process_args", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects unusually high number of process arguments in an RDP session.", - "analysis_config": { - "bucket_span": "6h", - "detectors": [ - { - "detector_description": "high_mean(total_length_process_args) partitionfield=\"source.ip\"", - "function": "high_mean", - "field_name": "total_length_process_args", - "partition_field_name": "source.ip", - "detector_index": 0 - }, - { - "detector_description": "high_mean(total_length_process_args) partitionfield=\"destination.ip\"", - "function": "high_mean", - "field_name": "total_length_process_args", - "partition_field_name": "destination.ip", - "detector_index": 1 - } - ], - "influencers": [ - "host.name", - "user.name", - "source.ip", - "destination.ip" - ] - }, - "data_description": { - "time_field": "session.start_time", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } + ], + "filter": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "event.action": "creation" + } + }, + { + "terms": { + "process.name": [ + "System", + "scp", + "sshd", + "smbd", + "vsftpd", + "sftp-server" + ] + } + }, + { + "exists": { + "field": "process.name" + } + }, + { + "exists": { + "field": "file.name" + } } + ] } - ], - "datafeeds": [ - { - "id": "datafeed-lmd_high_count_remote_file_transfer", - "job_id": "lmd_high_count_remote_file_transfer", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_count_remote_file_transfer", - "query": { - "bool": { - "must_not": [ - { - "terms": { - "user.name": [ - "SYSTEM", - "root" - ] - } - } - ], - "filter": [ - { - "term": { - "event.category": "file" - } - }, - { - "term": { - "event.action": "creation" - } - }, - { - "terms": { - "process.name": [ - "System", - "scp", - "sshd", - "smbd", - "vsftpd", - "sftp-server" - ] - } - }, - { - "exists": { - "field": "process.name" - } - }, - { - "exists": { - "field": "file.name" - } - } - ] - } - } - } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } }, - { - "id": "datafeed-lmd_high_file_size_remote_file_transfer", - "job_id": "lmd_high_file_size_remote_file_transfer", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_file_size_remote_file_transfer", - "query": { - "bool": { - "must_not": [ - { - "terms": { - "user.name": [ - "SYSTEM", - "root" - ] - } - } - ], - "filter": [ - { - "term": { - "event.category": "file" - } - }, - { - "term": { - "event.action": "creation" - } - }, - { - "terms": { - "process.name": [ - "System", - "scp", - "sshd", - "smbd", - "vsftpd", - "sftp-server" - ] - } - }, - { - "exists": { - "field": "process.name" - } - }, - { - "exists": { - "field": "file.name" - } - } - ] - } - } + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + }, + { + "id": "datafeed-lmd_high_mean_rdp_session_duration_euid", + "job_id": "lmd_high_mean_rdp_session_duration_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_mean_rdp_session_duration_euid", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + }, + { + "exists": { + "field": "session.start_time" + } } - }, - { - "id": "datafeed-lmd_rare_file_extension_remote_transfer", - "job_id": "lmd_rare_file_extension_remote_transfer", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_rare_file_extension_remote_transfer", - "query": { - "bool": { - "must_not": [ - { - "terms": { - "user.name": [ - "SYSTEM", - "root" - ] - } - } - ], - "filter": [ - { - "term": { - "event.category": "file" - } - }, - { - "term": { - "event.action": "creation" - } - }, - { - "terms": { - "process.name": [ - "System", - "scp", - "sshd", - "smbd", - "vsftpd", - "sftp-server" - ] - } - }, - { - "exists": { - "field": "process.name" - } - }, - { - "exists": { - "field": "file.name" - } - } - ] - } - } + ] + } + } + } + }, + { + "id": "datafeed-lmd_high_var_rdp_session_duration_euid", + "job_id": "lmd_high_var_rdp_session_duration_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_var_rdp_session_duration_euid", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + }, + { + "exists": { + "field": "session.start_time" + } } - }, - { - "id": "datafeed-lmd_high_mean_rdp_session_duration", - "job_id": "lmd_high_mean_rdp_session_duration", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_mean_rdp_session_duration", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "destination.ip" - } - }, - { - "exists": { - "field": "session.start_time" - } - } - ] - } - } + ] + } + } + } + }, + { + "id": "datafeed-lmd_high_sum_rdp_number_of_processes_euid", + "job_id": "lmd_high_sum_rdp_number_of_processes_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_sum_rdp_number_of_processes_euid", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + }, + { + "exists": { + "field": "session.start_time" + } } - }, - { - "id": "datafeed-lmd_high_var_rdp_session_duration", - "job_id": "lmd_high_var_rdp_session_duration", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_var_rdp_session_duration", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "destination.ip" - } - }, - { - "exists": { - "field": "session.start_time" - } - } - ] - } - } + ] + } + } + } + }, + { + "id": "datafeed-lmd_unusual_time_weekday_rdp_session_start_euid", + "job_id": "lmd_unusual_time_weekday_rdp_session_start_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_unusual_time_weekday_rdp_session_start_euid", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + }, + { + "exists": { + "field": "session.start_time" + } } - }, - { - "id": "datafeed-lmd_high_sum_rdp_number_of_processes", - "job_id": "lmd_high_sum_rdp_number_of_processes", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_sum_rdp_number_of_processes", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "destination.ip" - } - }, - { - "exists": { - "field": "session.start_time" - } - } - ] - } - } + ] + } + } + } + }, + { + "id": "datafeed-lmd_high_rdp_distinct_count_source_ip_for_destination_euid", + "job_id": "lmd_high_rdp_distinct_count_source_ip_for_destination_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_rdp_distinct_count_source_ip_for_destination_euid", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + }, + { + "exists": { + "field": "session.start_time" + } } - }, - { - "id": "datafeed-lmd_unusual_time_weekday_rdp_session_start", - "job_id": "lmd_unusual_time_weekday_rdp_session_start", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_unusual_time_weekday_rdp_session_start", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "destination.ip" - } - }, - { - "exists": { - "field": "session.start_time" - } - } - ] - } - } + ] + } + } + } + }, + { + "id": "datafeed-lmd_high_rdp_distinct_count_destination_ip_for_source_euid", + "job_id": "lmd_high_rdp_distinct_count_destination_ip_for_source_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_rdp_distinct_count_destination_ip_for_source_euid", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + }, + { + "exists": { + "field": "session.start_time" + } } - }, - { - "id": "datafeed-lmd_high_rdp_distinct_count_source_ip_for_destination", - "job_id": "lmd_high_rdp_distinct_count_source_ip_for_destination", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_rdp_distinct_count_source_ip_for_destination", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "destination.ip" - } - }, - { - "exists": { - "field": "session.start_time" - } - } - ] - } - } + ] + } + } + } + }, + { + "id": "datafeed-lmd_high_mean_rdp_process_args_euid", + "job_id": "lmd_high_mean_rdp_process_args_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_mean_rdp_process_args_euid", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + }, + { + "exists": { + "field": "session.start_time" + } } - }, - { - "id": "datafeed-lmd_high_rdp_distinct_count_destination_ip_for_source", - "job_id": "lmd_high_rdp_distinct_count_destination_ip_for_source", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_rdp_distinct_count_destination_ip_for_source", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "destination.ip" - } - }, - { - "exists": { - "field": "session.start_time" - } - } - ] - } - } + ] + } + } + } + }, + { + "id": "datafeed-lmd_rare_file_path_remote_transfer_euid", + "job_id": "lmd_rare_file_path_remote_transfer_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_rare_file_path_remote_transfer_euid", + "query": { + "bool": { + "must_not": [ + { + "terms": { + "user.name": [ + "SYSTEM", + "root" + ] + } } - }, - { - "id": "datafeed-lmd_high_mean_rdp_process_args", - "job_id": "lmd_high_mean_rdp_process_args", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_mean_rdp_process_args", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "destination.ip" - } - }, - { - "exists": { - "field": "session.start_time" - } - } - ] - } - } + ], + "filter": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "event.action": "creation" + } + }, + { + "terms": { + "process.name": [ + "System", + "scp", + "sshd", + "smbd", + "vsftpd", + "sftp-server" + ] + } + }, + { + "exists": { + "field": "process.name" + } + }, + { + "exists": { + "field": "file.name" + } } + ] + } + }, + "runtime_mappings": { + "file_directory": { + "type": "keyword", + "script": { + "source": "def st=new String();\r\ndef st1=new String(); \r\nif(doc.containsKey('file.path') && doc['file.path'].size() != 0 )\r\n{st=doc['file.path'].value.replace('/','\\\\').splitOnToken('\\\\')[-1]; \r\nst1=doc['file.path'].value.replace(st,\"\");\r\n emit((st1));} else { emit('None');}" + } + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } }, - { - "id": "datafeed-lmd_rare_file_path_remote_transfer", - "job_id": "lmd_rare_file_path_remote_transfer", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_rare_file_path_remote_transfer", - "query": { - "bool": { - "must_not": [ - { - "terms": { - "user.name": [ - "SYSTEM", - "root" - ] - } - } - ], - "filter": [ - { - "term": { - "event.category": "file" - } - }, - { - "term": { - "event.action": "creation" - } - }, - { - "terms": { - "process.name": [ - "System", - "scp", - "sshd", - "smbd", - "vsftpd", - "sftp-server" - ] - } - }, - { - "exists": { - "field": "process.name" - } - }, - { - "exists": { - "field": "file.name" - } - } - ] - } - }, - "runtime_mappings": { - "file_directory": { - "type": "keyword", - "script": { - "source": "def st=new String();\r\ndef st1=new String(); \r\nif(doc.containsKey('file.path') && doc['file.path'].size() != 0 )\r\n{st=doc['file.path'].value.replace('/','\\\\').splitOnToken('\\\\')[-1]; \r\nst1=doc['file.path'].value.replace(st,\"\");\r\n emit((st1));} else { emit('None');}" - } - } - } - } + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } } - ] - }, - "id": "lmd-ml", - "migrationVersion": { - "search": "7.16.0" - }, - "references": [], - "type": "ml-module" -} \ No newline at end of file + } + } + } + ] + }, + "id": "lmd-ml", + "migrationVersion": { + "search": "7.16.0" + }, + "references": [], + "type": "ml-module" +} diff --git a/packages/pad/elasticsearch/transform/pivot_transform_windows_privilege_list/fields/fields.yml b/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_euid/fields/fields.yml similarity index 66% rename from packages/pad/elasticsearch/transform/pivot_transform_windows_privilege_list/fields/fields.yml rename to packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_euid/fields/fields.yml index ca19fa4519a..5fe8ce89960 100644 --- a/packages/pad/elasticsearch/transform/pivot_transform_windows_privilege_list/fields/fields.yml +++ b/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_euid/fields/fields.yml @@ -11,4 +11,8 @@ - external: ecs name: event.category - external: ecs - name: '@timestamp' \ No newline at end of file + name: '@timestamp' +- name: user.entity.id_computed + type: keyword +- name: host.entity.id_computed + type: keyword diff --git a/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_euid/transform.yml b/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_euid/transform.yml new file mode 100644 index 00000000000..3c003ff2369 --- /dev/null +++ b/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_euid/transform.yml @@ -0,0 +1,129 @@ +source: + index: logs-* + query: + bool: + filter: + - range: + '@timestamp': + gte: now-1M + - exists: + field: winlog.event_data.PrivilegeList + - terms: + host.os.type: + - windows + - Windows + - terms: + event.action: + - logged-in-special + - privileged-service-called + - privileged-operation + - terms: + winlog.event_data.PrivilegeList: + - SeDebugPrivilege + - SeTakeOwnershipPrivilege + - SeBackupPrivilege + - SeRestorePrivilege + - SeImpersonatePrivilege + - SeAssignPrimaryTokenPrivilege + must_not: + - terms: + process.name: + - elastic-agent.exe + - elastic-agent + - metricbeat.exe + - metricbeat + - filebeat.exe + - filebeat + - packetbeat.exe + - packetbeat + - winlogbeat.exe + - winlogbeat + - terms: + _tier: + - data_cold + - data_frozen + runtime_mappings: + user.entity.id_computed: + type: keyword + script: + source: "String read(def doc, String field) {\n if (!doc.containsKey(field))\ + \ return null;\n def dv = doc[field];\n if (dv == null || dv.size() ==\ + \ 0) return null;\n String v = dv.value.toString();\n String l = v.toLowerCase();\n\ + \ if (l == '' || l == '-' || l == 'unknown' || l == 'n/a') return null;\n\ + \ return v;\n}\n\nString ueid = read(doc, 'user.entity.id');\nif (ueid\ + \ != null) { emit(ueid); return; }\n\nString uname = read(doc, 'user.name');\n\ + String heid = read(doc, 'host.entity.id');\nif (uname != null && heid !=\ + \ null) { emit(uname + '@' + heid); return; }\n\nString hid = read(doc,\ + \ 'host.id');\nif (uname != null && hid != null) { emit(uname + '@' + hid);\ + \ return; }\n\nString hname = read(doc, 'host.name');\nif (uname != null\ + \ && hname != null) { emit(uname + '@' + hname); return; }\n\nString uid\ + \ = read(doc, 'user.id');\nif (uid != null) { emit(uid); return; }\n\nString\ + \ email = read(doc, 'user.email');\nif (email != null) { emit(email); return;\ + \ }\n\nString udom = read(doc, 'user.domain');\nif (uname != null && udom\ + \ != null) { emit(uname + '@' + udom); return; }\n\nif (uname != null) {\ + \ emit(uname); return; }" + host.entity.id_computed: + type: keyword + script: + source: "String read(def doc, String field) {\n if (!doc.containsKey(field))\ + \ return null;\n def dv = doc[field];\n if (dv == null || dv.size() ==\ + \ 0) return null;\n String v = dv.value.toString();\n String l = v.toLowerCase();\n\ + \ if (l == '' || l == '-' || l == 'unknown' || l == 'n/a') return null;\n\ + \ return v;\n}\n\nString heid = read(doc, 'host.entity.id');\nif (heid\ + \ != null) { emit(heid); return; }\n\nString hid = read(doc, 'host.id');\n\ + if (hid != null) { emit(hid); return; }\n\nString hname = read(doc, 'host.name');\n\ + String hdom = read(doc, 'host.domain');\nif (hname != null && hdom != null)\ + \ { emit(hname + '.' + hdom); return; }\n\nString hhostname = read(doc,\ + \ 'host.hostname');\nif (hhostname != null && hdom != null) { emit(hhostname\ + \ + '.' + hdom); return; }\n\nif (hhostname != null) { emit(hhostname);\ + \ return; }\nif (hname != null) { emit(hname); return; }" +dest: + index: ml_windows_privilege_type_pad-1.1.1 + aliases: + - alias: ml_windows_privilege_type_pad.latest + move_on_creation: true + - alias: ml_windows_privilege_type_pad.all + move_on_creation: false +description: This transform runs hourly and collects special privileges assigned to + a user in the Windows events for the Privileged Access Detection package. +frequency: 1h +pivot: + aggregations: + '@timestamp': + max: + field: '@timestamp' + group_by: + host.entity.id_computed: + terms: + field: host.entity.id_computed + host.name: + terms: + field: host.name + user.entity.id_computed: + terms: + field: user.entity.id_computed + user.name: + terms: + field: user.name + privilege_type: + terms: + field: winlog.event_data.PrivilegeList + event.action: + terms: + field: event.action + event.category: + terms: + field: event.category + event.code: + terms: + field: event.code +settings: + deduce_mappings: false + unattended: true +sync: + time: + delay: 60s + field: '@timestamp' +_meta: + fleet_transform_version: 1.1.1 + run_as_kibana_system: false diff --git a/packages/pad/elasticsearch/transform/pivot_transform_windows_privilege_list/transform.yml b/packages/pad/elasticsearch/transform/pivot_transform_windows_privilege_list/transform.yml deleted file mode 100644 index 00a84c693ea..00000000000 --- a/packages/pad/elasticsearch/transform/pivot_transform_windows_privilege_list/transform.yml +++ /dev/null @@ -1,65 +0,0 @@ -source: - index: "logs-*" - query: - bool: - filter: - - range: - '@timestamp': - gte: now-1M - - exists: - field: winlog.event_data.PrivilegeList - - terms: - 'host.os.type': ["windows","Windows"] - - terms: - 'event.action': ["logged-in-special","privileged-service-called","privileged-operation"] - - terms: - 'winlog.event_data.PrivilegeList': ["SeDebugPrivilege","SeTakeOwnershipPrivilege","SeBackupPrivilege", "SeRestorePrivilege","SeImpersonatePrivilege","SeAssignPrimaryTokenPrivilege"] - must_not: - - terms: - 'process.name': [ "elastic-agent.exe","elastic-agent","metricbeat.exe","metricbeat","filebeat.exe","filebeat","packetbeat.exe","packetbeat","winlogbeat.exe","winlogbeat" ] - - terms: - '_tier': [ "data_cold", "data_frozen" ] -dest: - index: ml_windows_privilege_type_pad-1.1.1 - aliases: - - alias: ml_windows_privilege_type_pad.latest - move_on_creation: true - - alias: ml_windows_privilege_type_pad.all - move_on_creation: false -description: This transform runs hourly and collects special privileges assigned to a user in the Windows events for the Privileged Access Detection package. -frequency: 1h -pivot: - aggregations: - '@timestamp': - max: - field: '@timestamp' - group_by: - 'host.name': - terms: - field: host.name - 'user.name': - terms: - field: user.name - 'privilege_type': - terms: - field: winlog.event_data.PrivilegeList - 'event.action': - terms: - field: event.action - 'event.category': - terms: - field: event.category - 'event.code': - terms: - field: event.code -settings: - # This is required to prevent the transform from clobbering the Fleet-managed mappings. - deduce_mappings: false - unattended: true -sync: - time: - delay: 60s - field: '@timestamp' -_meta: - fleet_transform_version: 1.1.1 - run_as_kibana_system: false \ No newline at end of file diff --git a/packages/pad/kibana/ml_module/pad-ml.json b/packages/pad/kibana/ml_module/pad-ml.json index c91ab105138..6cf3bd280b1 100644 --- a/packages/pad/kibana/ml_module/pad-ml.json +++ b/packages/pad/kibana/ml_module/pad-ml.json @@ -1,2385 +1,2564 @@ { - "attributes": { - "id": "pad-ml", - "title": "Privileged Access Detection", - "description": "Detects anomalous privileged access activity in the Windows, Linux and Okta logs.", - "type": "pad", - "logo": { - "icon": "machineLearningApp" - }, - "query": { - "bool": { - "should": [ - { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "exists": { - "field": "winlog.event_id" - } + "attributes": { + "id": "pad-ml", + "title": "Privileged Access Detection", + "description": "Detects anomalous privileged access activity in the Windows, Linux and Okta logs.", + "type": "pad", + "logo": { + "icon": "machineLearningApp" + }, + "query": { + "bool": { + "should": [ + { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] } - ] - } - }, - { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "linux", - "Linux" - ] - } - }, - { - "term": { - "event.category": "process" - } + }, + { + "exists": { + "field": "winlog.event_id" } - ] - } - }, - { - "exists": { - "field": "privilege_type" - } - }, - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "exists": { - "field": "okta_distinct_ips" - } - } - ], - "must_not": { - "terms": { - "_tier": [ - "data_frozen", - "data_cold" + } ] } - } - } - }, - "jobs": [ - { - "id": "pad_windows_high_count_special_logon_events", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects unusually high special logon events initiated by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of special logon events", - "function": "high_non_zero_count", - "by_field_name": "event.action", - "partition_field_name": "user.name", - "detector_index": 0 + }, + { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "linux", + "Linux" + ] + } + }, + { + "term": { + "event.category": "process" + } } - ], - "influencers": [ - "host.name", - "user.name", - "winlog.event_data.SubjectUserName", - "winlog.event_data.PrivilegeList", - "winlog.event_data.TargetUserName", - "process.name" ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" } + }, + { + "exists": { + "field": "privilege_type" + } + }, + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "exists": { + "field": "okta_distinct_ips" + } + } + ], + "must_not": { + "terms": { + "_tier": [ + "data_frozen", + "data_cold" + ] } - }, - { - "id": "pad_windows_high_count_special_privilege_use_events", - "config": { - "groups": [ - "security", - "pad", - "windows" + } + } + }, + "jobs": [ + { + "id": "pad_windows_high_count_special_logon_events_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects unusually high special logon events initiated by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of special logon events", + "function": "high_non_zero_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 + } ], - "description": "Detects unusually high special privilege use events initiated by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of special privilege use events", - "function": "high_non_zero_count", - "by_field_name": "event.action", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "winlog.event_data.SubjectUserName", - "winlog.event_data.PrivilegeList", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "winlog.event_data.SubjectUserName", + "winlog.event_data.PrivilegeList", + "winlog.event_data.TargetUserName", + "process.name", + "user.name", + "host.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_windows_high_count_group_management_events", - "config": { - "groups": [ - "security", - "pad", - "windows" + } + }, + { + "id": "pad_windows_high_count_special_privilege_use_events_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects unusually high special privilege use events initiated by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of special privilege use events", + "function": "high_non_zero_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 + } ], - "description": "Detects unusually high security group management events initiated by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of security group management events", - "function": "high_non_zero_count", - "by_field_name": "event.action", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "winlog.event_data.SubjectUserName", - "group.name", - "winlog.event_data.TargetUserName" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "winlog.event_data.SubjectUserName", + "winlog.event_data.PrivilegeList", + "process.name", + "user.name", + "host.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_windows_high_count_user_account_management_events", - "config": { - "groups": [ - "security", - "pad", - "windows" + } + }, + { + "id": "pad_windows_high_count_group_management_events_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects unusually high security group management events initiated by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of security group management events", + "function": "high_non_zero_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 + } ], - "description": "Detects unusually high security user account management events initiated by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of security user account management events", - "function": "high_non_zero_count", - "by_field_name": "event.action", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "winlog.event_data.SubjectUserName", - "winlog.event_data.TargetUserName" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "winlog.event_data.SubjectUserName", + "group.name", + "winlog.event_data.TargetUserName", + "user.name", + "host.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_windows_rare_privilege_assigned_to_user", - "config": { - "groups": [ - "security", - "pad", - "windows" + } + }, + { + "id": "pad_windows_high_count_user_account_management_events_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects unusually high security user account management events initiated by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of security user account management events", + "function": "high_non_zero_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 + } ], - "description": "Detects an unusual privilege type assigned to a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare privilege type by user name", - "function": "rare", - "by_field_name": "privilege_type", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "privilege_type", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "winlog.event_data.SubjectUserName", + "winlog.event_data.TargetUserName", + "user.name", + "host.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_windows_rare_group_name_by_user", - "config": { - "groups": [ - "security", - "pad", - "windows" + } + }, + { + "id": "pad_windows_rare_privilege_assigned_to_user_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects an unusual privilege type assigned to a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare privilege type by user name", + "function": "rare", + "by_field_name": "privilege_type", + "partition_field_name": "user.name", + "detector_index": 0 + } ], - "description": "Detects an unusual group name accessed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare group name by user name", - "function": "rare", - "by_field_name": "group.name", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "group.name", - "winlog.event_data.TargetUserName", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "privilege_type", + "event.action", + "user.name", + "host.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_windows_rare_device_by_user", - "config": { - "groups": [ - "security", - "pad", - "windows" + } + }, + { + "id": "pad_windows_rare_group_name_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects an unusual group name accessed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare group name by user name", + "function": "rare", + "by_field_name": "group.name", + "partition_field_name": "user.name", + "detector_index": 0 + } ], - "description": "Detects an unusual device accessed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare device name by user name", - "function": "rare", - "by_field_name": "host.name", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "group.name", - "winlog.event_data.PrivilegeList", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "group.name", + "winlog.event_data.TargetUserName", + "event.action", + "user.name", + "host.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_windows_rare_source_ip_by_user", - "config": { - "groups": [ - "security", - "pad", - "windows" + } + }, + { + "id": "pad_windows_rare_device_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects an unusual device accessed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare device name by user name", + "function": "rare", + "by_field_name": "host.name", + "partition_field_name": "user.name", + "detector_index": 0 + } ], - "description": "Detects an unusual source IP address accessed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare source IP by user name", - "function": "rare", - "by_field_name": "source.ip", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "source.ip", - "winlog.event_data.PrivilegeList", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "group.name", + "winlog.event_data.PrivilegeList", + "event.action", + "user.name", + "host.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_windows_rare_region_name_by_user", - "config": { - "groups": [ - "security", - "pad", - "windows" + } + }, + { + "id": "pad_windows_rare_source_ip_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects an unusual source IP address accessed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare source IP by user name", + "function": "rare", + "by_field_name": "source.ip", + "partition_field_name": "user.name", + "detector_index": 0 + } ], - "description": "Detects an unusual region name for a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare region name by user", - "function": "rare", - "by_field_name": "source.geo.region_name", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "source.geo.city_name", - "source.geo.country_name", - "winlog.event_data.PrivilegeList", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "source.ip", + "winlog.event_data.PrivilegeList", + "event.action", + "user.name", + "host.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_linux_high_count_privileged_process_events_by_user", - "config": { - "groups": [ - "security", - "pad", - "linux" + } + }, + { + "id": "pad_windows_rare_region_name_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects an unusual region name for a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare region name by user", + "function": "rare", + "by_field_name": "source.geo.region_name", + "partition_field_name": "user.name", + "detector_index": 0 + } ], - "description": "Detects a spike in privileged commands executed by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of privileged processes by user name", - "function": "high_non_zero_count", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "process.name", - "process.command_line" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "source.geo.city_name", + "source.geo.country_name", + "winlog.event_data.PrivilegeList", + "event.action", + "user.name", + "host.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_linux_rare_process_executed_by_user", - "config": { - "groups": [ - "security", - "pad", - "linux" + } + }, + { + "id": "pad_linux_high_count_privileged_process_events_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "linux" + ], + "description": "Detects a spike in privileged commands executed by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of privileged processes by user name", + "function": "high_non_zero_count", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } ], - "description": "Detects a rare process executed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare process by user name", - "function": "rare", - "by_field_name": "process.name", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "process.name", + "process.command_line", + "user.name", + "host.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_linux_high_median_process_command_line_entropy_by_user", - "config": { - "groups": [ - "security", - "pad", - "linux" + } + }, + { + "id": "pad_linux_rare_process_executed_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "linux" + ], + "description": "Detects a rare process executed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare process by user name", + "function": "rare", + "by_field_name": "process.name", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } ], - "description": "Detects process command lines executed by a user with an abnormally high median entropy value. This job requires some manual setup before it can run successfully, specifically adding custom field mappings for data coming from an ingest pipeline. Instructions for these steps are available in the package overview.", - "analysis_config": { - "bucket_span": "30m", - "detectors": [ - { - "detector_description": "High median of process argument count by user name", - "function": "high_median", - "field_name": "process.command_line_entropy", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "process.command_line" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "process.name", + "user.name", + "host.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_okta_spike_in_group_membership_changes", - "config": { - "groups": [ - "security", - "pad", - "okta" + } + }, + { + "id": "pad_linux_high_median_process_command_line_entropy_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "linux" + ], + "description": "Detects process command lines executed by a user with an abnormally high median entropy value. This job requires some manual setup before it can run successfully, specifically adding custom field mappings for data coming from an ingest pipeline. Instructions for these steps are available in the package overview.", + "analysis_config": { + "bucket_span": "30m", + "detectors": [ + { + "detector_description": "High median of process argument count by user name", + "function": "high_median", + "field_name": "process.command_line_entropy", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } ], - "description": "Detects spike in group membership change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of group membership okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "source.user.name", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "source.user.name", - "source.user.full_name", - "user.target.full_name", - "user.target.group.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "process.command_line", + "user.name", + "host.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_okta_spike_in_user_lifecycle_management_changes", - "config": { - "groups": [ - "security", - "pad", - "okta" + } + }, + { + "id": "pad_okta_spike_in_group_membership_changes", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects spike in group membership change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of group membership okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "source.user.name", + "detector_index": 0 + } ], - "description": "Detects spike in user lifecycle management change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of user lifecycle management okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "source.user.name", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "source.user.name", - "source.user.full_name", - "user.target.full_name", - "user.target.group.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "agent.name", + "source.user.name", + "source.user.full_name", + "user.target.full_name", + "user.target.group.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_okta_spike_in_group_privilege_changes", - "config": { - "groups": [ - "security", - "pad", - "okta" + } + }, + { + "id": "pad_okta_spike_in_user_lifecycle_management_changes", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects spike in user lifecycle management change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of user lifecycle management okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "source.user.name", + "detector_index": 0 + } ], - "description": "Detects spike in group privilege change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of group privilege okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "source.user.name", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "source.user.name", - "source.user.full_name", - "user.target.full_name", - "user.target.group.name", - "okta.debug_context.debug_data.privilegeGranted", - "okta.debug_context.debug_data.privilegeRevoked" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "agent.name", + "source.user.name", + "source.user.full_name", + "user.target.full_name", + "user.target.group.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_okta_spike_in_group_application_assignment_changes", - "config": { - "groups": [ - "security", - "pad", - "okta" + } + }, + { + "id": "pad_okta_spike_in_group_privilege_changes", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects spike in group privilege change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of group privilege okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "source.user.name", + "detector_index": 0 + } ], - "description": "Detects spike in group application assignment change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of group application assignment okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "source.user.name", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "source.user.name", - "source.user.full_name", - "user.target.group.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "agent.name", + "source.user.name", + "source.user.full_name", + "user.target.full_name", + "user.target.group.name", + "okta.debug_context.debug_data.privilegeGranted", + "okta.debug_context.debug_data.privilegeRevoked" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_okta_spike_in_group_lifecycle_changes", - "config": { - "groups": [ - "security", - "pad", - "okta" + } + }, + { + "id": "pad_okta_spike_in_group_application_assignment_changes", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects spike in group application assignment change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of group application assignment okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "source.user.name", + "detector_index": 0 + } ], - "description": "Detects spike in group lifecycle change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of group lifecycle okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "source.user.name", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "source.user.name", - "source.user.full_name", - "user.target.group.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "agent.name", + "source.user.name", + "source.user.full_name", + "user.target.group.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_okta_high_sum_concurrent_sessions_by_user", - "config": { - "groups": [ - "security", - "pad", - "okta" + } + }, + { + "id": "pad_okta_spike_in_group_lifecycle_changes", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects spike in group lifecycle change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of group lifecycle okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "source.user.name", + "detector_index": 0 + } ], - "description": "Detects an unusual sum of active sessions started by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High sum of distinct source ips by user name", - "function": "high_sum", - "field_name": "okta_distinct_ips", - "partition_field_name": "source.user.name", - "detector_index": 0 - } - ], - "influencers": [ - "source.user.name", - "agent.name", - "source.user.full_name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "agent.name", + "source.user.name", + "source.user.full_name", + "user.target.group.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_okta_rare_source_ip_by_user", - "config": { - "groups": [ - "security", - "pad", - "okta" + } + }, + { + "id": "pad_okta_high_sum_concurrent_sessions_by_user", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects an unusual sum of active sessions started by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High sum of distinct source ips by user name", + "function": "high_sum", + "field_name": "okta_distinct_ips", + "partition_field_name": "source.user.name", + "detector_index": 0 + } ], - "description": "Detects an unusual source IP address accessed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare source ip by user name", - "function": "rare", - "by_field_name": "source.ip", - "partition_field_name": "source.user.name", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "source.user.full_name", - "user.target.group.name", - "okta.event_type" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "source.user.name", + "agent.name", + "source.user.full_name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_okta_rare_region_name_by_user", - "config": { - "groups": [ - "security", - "pad", - "okta" + } + }, + { + "id": "pad_okta_rare_source_ip_by_user", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects an unusual source IP address accessed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare source ip by user name", + "function": "rare", + "by_field_name": "source.ip", + "partition_field_name": "source.user.name", + "detector_index": 0 + } ], - "description": "Detects an unusual region name for a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare region name by user name", - "function": "rare", - "by_field_name": "client.geo.region_name", - "partition_field_name": "source.user.name", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "source.user.full_name", - "user.target.group.name", - "okta.event_type", - "client.geo.country_name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "agent.name", + "source.user.full_name", + "user.target.group.name", + "okta.event_type" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_okta_rare_host_name_by_user", - "config": { - "groups": [ - "security", - "pad", - "okta" + } + }, + { + "id": "pad_okta_rare_region_name_by_user", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects an unusual region name for a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare region name by user name", + "function": "rare", + "by_field_name": "client.geo.region_name", + "partition_field_name": "source.user.name", + "detector_index": 0 + } ], - "description": "Detects an unusual host name for a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare host name by user name", - "function": "rare", - "by_field_name": "agent.name", - "partition_field_name": "source.user.name", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "source.user.full_name", - "user.target.group.name", - "okta.event_type" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "agent.name", + "source.user.full_name", + "user.target.group.name", + "okta.event_type", + "client.geo.country_name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } } - ], - "datafeeds": [ - { - "id": "datafeed-pad_windows_high_count_special_logon_events", - "job_id": "pad_windows_high_count_special_logon_events", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" + }, + { + "id": "pad_okta_rare_host_name_by_user", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects an unusual host name for a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare host name by user name", + "function": "rare", + "by_field_name": "agent.name", + "partition_field_name": "source.user.name", + "detector_index": 0 + } ], - "job_id": "pad_windows_high_count_special_logon_events", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "logged-in-special", - "logged-in-explicit" - ] - } - }, - { - "terms": { - "event.code": [ - "4672", - "4648" - ] - } + "influencers": [ + "agent.name", + "source.user.full_name", + "user.target.group.name", + "okta.event_type" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + } + ], + "datafeeds": [ + { + "id": "datafeed-pad_windows_high_count_special_logon_events_euid", + "job_id": "pad_windows_high_count_special_logon_events_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_high_count_special_logon_events_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] } - ], - "must_not": [ + }, { "terms": { - "process.name": - [ "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" ] - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_windows_high_count_special_privilege_use_events", - "job_id": "pad_windows_high_count_special_privilege_use_events", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_high_count_special_privilege_use_events", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "privileged-operation", - "privileged-service-called" - ] - } - }, - { - "terms": { - "event.code": [ - "4673", - "4674" - ] - } + "event.action": [ + "logged-in-special", + "logged-in-explicit" + ] + } + }, + { + "terms": { + "event.code": [ + "4672", + "4648" + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + }, + { + "id": "datafeed-pad_windows_high_count_special_privilege_use_events_euid", + "job_id": "pad_windows_high_count_special_privilege_use_events_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_high_count_special_privilege_use_events_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "privileged-operation", + "privileged-service-called" + ] + } + }, + { + "terms": { + "event.code": [ + "4673", + "4674" + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + }, + { + "id": "datafeed-pad_windows_high_count_group_management_events_euid", + "job_id": "pad_windows_high_count_group_management_events_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_high_count_group_management_events_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "added-member-to-group", + "removed-member-from-group" + ] + } + }, + { + "terms": { + "event.code": [ + "4732", + "4728", + "4756", + "4733", + "4729" + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + }, + { + "id": "datafeed-pad_windows_high_count_user_account_management_events_euid", + "job_id": "pad_windows_high_count_user_account_management_events_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_high_count_user_account_management_events_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "enabled-user-account", + "added-user-account", + "deleted-user-account", + "disabled-user-account" + ] + } + }, + { + "terms": { + "event.code": [ + "4722", + "4720", + "4726", + "4725" + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + }, + { + "id": "datafeed-pad_windows_rare_privilege_assigned_to_user_euid", + "job_id": "pad_windows_rare_privilege_assigned_to_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_privilege_assigned_to_user_euid", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "privilege_type" + } + } + ] + } + } + } + }, + { + "id": "datafeed-pad_windows_rare_group_name_by_user_euid", + "job_id": "pad_windows_rare_group_name_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_group_name_by_user_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "added-member-to-group", + "removed-member-from-group" + ] + } + }, + { + "terms": { + "event.code": [ + "4732", + "4728", + "4756", + "4733", + "4729" + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + }, + { + "id": "datafeed-pad_windows_rare_device_by_user_euid", + "job_id": "pad_windows_rare_device_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_device_by_user_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "exists": { + "field": "host.name" + } + }, + { + "exists": { + "field": "user.name" + } + }, + { + "terms": { + "event.code": [ + "4720", + "4726", + "4722", + "4756", + "4672", + "4673", + "4674", + "4720", + "4728", + "4732", + "4756", + "624", + "632", + "636", + "660", + "4725", + "4723", + "4648", + "4688", + "4729", + "4733", + "4757", + "637", + "661" + ] + } + } + ], + "must_not": [ + { + "terms": { + "event.action": [ + "log_on", + "created_process" + ] + } + }, + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + }, + { + "id": "datafeed-pad_windows_rare_source_ip_by_user_euid", + "job_id": "pad_windows_rare_source_ip_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_source_ip_by_user_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "user.name" + } + }, + { + "terms": { + "event.code": [ + "4720", + "4726", + "4722", + "4756", + "4672", + "4673", + "4674", + "4720", + "4728", + "4732", + "4756", + "624", + "632", + "636", + "660", + "4725", + "4723", + "4648", + "4688", + "4729", + "4733", + "4757", + "637", + "661" + ] + } + } + ], + "must_not": [ + { + "terms": { + "event.action": [ + "log_on", + "created_process" + ] + } + }, + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + }, + { + "id": "datafeed-pad_windows_rare_region_name_by_user_euid", + "job_id": "pad_windows_rare_region_name_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_region_name_by_user_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "exists": { + "field": "source.geo.region_name" + } + }, + { + "exists": { + "field": "user.name" + } + }, + { + "terms": { + "event.code": [ + "4720", + "4726", + "4722", + "4756", + "4672", + "4673", + "4674", + "4720", + "4728", + "4732", + "4756", + "624", + "632", + "636", + "660", + "4725", + "4723", + "4648", + "4688", + "4729", + "4733", + "4757", + "637", + "661" + ] + } + } + ], + "must_not": [ + { + "terms": { + "event.action": [ + "log_on", + "created_process" + ] + } + }, + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + }, + { + "id": "datafeed-pad_linux_high_count_privileged_process_events_by_user_euid", + "job_id": "pad_linux_high_count_privileged_process_events_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_linux_high_count_privileged_process_events_by_user_euid", + "query": { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "linux", + "Linux" + ] + } + }, + { + "term": { + "event.category": "process" + } + }, + { + "terms": { + "event.type": [ + "start", + "change" + ] + } + }, + { + "bool": { + "should": [ + { + "match_phrase": { + "process.command_line.text": "LD_PRELOAD" + } + }, + { + "match_phrase": { + "process.command_line.text": "/etc/ld.so.preload" + } + }, + { + "match_phrase": { + "process.command_line.text": "/root/.ssh/authorized_keys" + } + }, + { + "match_phrase": { + "process.command_line.text": "timestamp_timeout=-1" + } + }, + { + "match_phrase": { + "process.command_line.text": "!tty_tickets" + } + }, + { + "match_phrase": { + "process.command_line.text": "var/spool/cron" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl daemon-reload" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw mod user" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw unlock" + } + }, + { + "match_phrase": { + "process.command_line.text": "chmod u+s" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo setcap cap_setuid" + } + }, + { + "match_phrase": { + "process.command_line.text": "su nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo */root/" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*etc/sudoers" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*visudo" + } + }, + { + "match_phrase": { + "process.command_line.text": "etc/cron.*/" + } + }, + { + "match_phrase": { + "process.command_line.text": "trap*SIGINT" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*2000" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*4000" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl start*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl enable*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bashrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.shrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_logout" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/rc." + } + } + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent", + "elasticsearch-users", + "elastic-agent.exe", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + }, + { + "terms": { + "process.command_line.text": [ + "elastic-agent", + "elasticsearch" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + }, + { + "id": "datafeed-pad_linux_rare_process_executed_by_user_euid", + "job_id": "pad_linux_rare_process_executed_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_linux_rare_process_executed_by_user_euid", + "query": { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "linux", + "Linux" + ] + } + }, + { + "term": { + "event.category": "process" + } + }, + { + "terms": { + "event.type": [ + "start", + "change" + ] + } + }, + { + "bool": { + "should": [ + { + "match_phrase": { + "process.command_line.text": "LD_PRELOAD" + } + }, + { + "match_phrase": { + "process.command_line.text": "/etc/ld.so.preload" + } + }, + { + "match_phrase": { + "process.command_line.text": "/root/.ssh/authorized_keys" + } + }, + { + "match_phrase": { + "process.command_line.text": "timestamp_timeout=-1" + } + }, + { + "match_phrase": { + "process.command_line.text": "!tty_tickets" + } + }, + { + "match_phrase": { + "process.command_line.text": "var/spool/cron" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl daemon-reload" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw mod user" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw unlock" + } + }, + { + "match_phrase": { + "process.command_line.text": "chmod u+s" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo setcap cap_setuid" + } + }, + { + "match_phrase": { + "process.command_line.text": "su nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo */root/" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*etc/sudoers" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*visudo" + } + }, + { + "match_phrase": { + "process.command_line.text": "etc/cron.*/" + } + }, + { + "match_phrase": { + "process.command_line.text": "trap*SIGINT" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*2000" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*4000" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl start*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl enable*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bashrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.shrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_logout" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/rc." + } + } + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent", + "elasticsearch-users", + "elastic-agent.exe", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + }, + { + "terms": { + "process.command_line.text": [ + "elastic-agent", + "elasticsearch" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + }, + { + "id": "datafeed-pad_linux_high_median_process_command_line_entropy_by_user_euid", + "job_id": "pad_linux_high_median_process_command_line_entropy_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_linux_high_median_process_command_line_entropy_by_user_euid", + "query": { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "linux", + "Linux" + ] + } + }, + { + "term": { + "event.category": "process" + } + }, + { + "terms": { + "event.type": [ + "start", + "change" + ] + } + }, + { + "bool": { + "should": [ + { + "match_phrase": { + "process.command_line.text": "LD_PRELOAD" + } + }, + { + "match_phrase": { + "process.command_line.text": "/etc/ld.so.preload" + } + }, + { + "match_phrase": { + "process.command_line.text": "/root/.ssh/authorized_keys" + } + }, + { + "match_phrase": { + "process.command_line.text": "timestamp_timeout=-1" + } + }, + { + "match_phrase": { + "process.command_line.text": "!tty_tickets" + } + }, + { + "match_phrase": { + "process.command_line.text": "var/spool/cron" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl daemon-reload" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw mod user" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw unlock" + } + }, + { + "match_phrase": { + "process.command_line.text": "chmod u+s" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo setcap cap_setuid" + } + }, + { + "match_phrase": { + "process.command_line.text": "su nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo */root/" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*etc/sudoers" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*visudo" + } + }, + { + "match_phrase": { + "process.command_line.text": "etc/cron.*/" + } + }, + { + "match_phrase": { + "process.command_line.text": "trap*SIGINT" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*2000" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*4000" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl start*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl enable*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bashrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.shrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_logout" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/rc." + } + } + ] } - ], - "must_not": [ + } + ], + "must_not": [ { "terms": { - "process.name": - [ "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" ] - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_windows_high_count_group_management_events", - "job_id": "pad_windows_high_count_group_management_events", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_high_count_group_management_events", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "added-member-to-group", - "removed-member-from-group" - ] - } - }, - { - "terms": { - "event.code": [ - "4732", - "4728", - "4756", - "4733", - "4729" - ] - } + "process.name": [ + "elastic-agent", + "elasticsearch-users", + "elastic-agent.exe", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] } - ], - "must_not": [ + }, { "terms": { - "process.name": - [ "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" ] - } - } - ] + "process.command_line.text": [ + "elastic-agent", + "elasticsearch" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" } } } - }, - { - "id": "datafeed-pad_windows_high_count_user_account_management_events", - "job_id": "pad_windows_high_count_user_account_management_events", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_high_count_user_account_management_events", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "enabled-user-account", - "added-user-account", - "deleted-user-account", - "disabled-user-account" - ] - } - }, - { - "terms": { - "event.code": [ - "4722", - "4720", - "4726", - "4725" - ] - } + } + }, + { + "id": "datafeed-pad_okta_spike_in_group_membership_changes", + "job_id": "pad_okta_spike_in_group_membership_changes", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_group_membership_changes", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" } - ], - "must_not": [ + }, { "terms": { - "process.name": - [ "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" ] - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_windows_rare_privilege_assigned_to_user", - "job_id": "pad_windows_rare_privilege_assigned_to_user", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_privilege_assigned_to_user", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "privilege_type" - } + "okta.event_type": [ + "group.user_membership.add", + "group.user_membership.remove" + ] } - ] - } + } + ] } } - }, - { - "id": "datafeed-pad_windows_rare_group_name_by_user", - "job_id": "pad_windows_rare_group_name_by_user", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_group_name_by_user", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "added-member-to-group", - "removed-member-from-group" - ] - } - }, - { - "terms": { - "event.code": [ - "4732", - "4728", - "4756", - "4733", - "4729" - ] - } + } + }, + { + "id": "datafeed-pad_okta_spike_in_user_lifecycle_management_changes", + "job_id": "pad_okta_spike_in_user_lifecycle_management_changes", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_user_lifecycle_management_changes", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" } - ], - "must_not": [ + }, { "terms": { - "process.name": - [ "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" ] - } - } - ] - } + "okta.event_type": [ + "user.lifecycle.activate", + "user.lifecycle.deactivate", + "user.lifecycle.suspend", + "user.lifecycle.unsuspend", + "user.lifecycle.create", + "user.lifecycle.update" + ] + } + } + ] } } - }, - { - "id": "datafeed-pad_windows_rare_device_by_user", - "job_id": "pad_windows_rare_device_by_user", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_device_by_user", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "exists": { - "field": "host.name" - } - }, - { - "exists": { - "field": "user.name" - } - }, - { - "terms": { - "event.code": [ - "4720", - "4726", - "4722", - "4756", - "4672", - "4673", - "4674", - "4720", - "4728", - "4732", - "4756", - "624", - "632", - "636", - "660", - "4725", - "4723", - "4648", - "4688", - "4729", - "4733", - "4757", - "637", - "661" - ] - } + } + }, + { + "id": "datafeed-pad_okta_spike_in_group_privilege_changes", + "job_id": "pad_okta_spike_in_group_privilege_changes", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_group_privilege_changes", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" } - ], - "must_not": [ + }, { "terms": { - "event.action": [ - "log_on", - "created_process" + "okta.event_type": [ + "group.privilege.grant", + "group.privilege.revoke" ] - } - }, - { - "terms": { - "process.name": - [ "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" ] - } - } - ] - } + } + } + ] } } - }, - { - "id": "datafeed-pad_windows_rare_source_ip_by_user", - "job_id": "pad_windows_rare_source_ip_by_user", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_source_ip_by_user", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "user.name" - } - }, - { - "terms": { - "event.code": [ - "4720", - "4726", - "4722", - "4756", - "4672", - "4673", - "4674", - "4720", - "4728", - "4732", - "4756", - "624", - "632", - "636", - "660", - "4725", - "4723", - "4648", - "4688", - "4729", - "4733", - "4757", - "637", - "661" - ] - } + } + }, + { + "id": "datafeed-pad_okta_spike_in_group_application_assignment_changes", + "job_id": "pad_okta_spike_in_group_application_assignment_changes", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_group_application_assignment_changes", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" } - ], - "must_not": [ + }, { "terms": { - "event.action": [ - "log_on", - "created_process" + "okta.event_type": [ + "group.application_assignment.add", + "group.application_assignment.remove" ] - } - }, - { - "terms": { - "process.name": - [ "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" ] - } - } - ] - } + } + } + ] } } - }, - { - "id": "datafeed-pad_windows_rare_region_name_by_user", - "job_id": "pad_windows_rare_region_name_by_user", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_region_name_by_user", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "exists": { - "field": "source.geo.region_name" - } - }, - { - "exists": { - "field": "user.name" - } - }, - { - "terms": { - "event.code": [ - "4720", - "4726", - "4722", - "4756", - "4672", - "4673", - "4674", - "4720", - "4728", - "4732", - "4756", - "624", - "632", - "636", - "660", - "4725", - "4723", - "4648", - "4688", - "4729", - "4733", - "4757", - "637", - "661" - ] - } + } + }, + { + "id": "datafeed-pad_okta_spike_in_group_lifecycle_changes", + "job_id": "pad_okta_spike_in_group_lifecycle_changes", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_group_lifecycle_changes", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" } - ], - "must_not": [ + }, { "terms": { - "event.action": [ - "log_on", - "created_process" + "okta.event_type": [ + "group.lifecycle.create", + "group.lifecycle.delete" ] - } - }, - { - "terms": { - "process.name": - [ "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" ] - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_linux_high_count_privileged_process_events_by_user", - "job_id": "pad_linux_high_count_privileged_process_events_by_user", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_linux_high_count_privileged_process_events_by_user", - "query": { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "linux", - "Linux" - ] - } - }, - { - "term": { - "event.category": "process" - } - }, - { - "terms": { - "event.type": [ - "start", - "change" - ] - } - }, - { - "bool": { - "should": [ - { - "match_phrase": { - "process.command_line.text": "LD_PRELOAD" - } - }, - { - "match_phrase": { - "process.command_line.text": "/etc/ld.so.preload" - } - }, - { - "match_phrase": { - "process.command_line.text": "/root/.ssh/authorized_keys" - } - }, - { - "match_phrase": { - "process.command_line.text": "timestamp_timeout=-1" - } - }, - { - "match_phrase": { - "process.command_line.text": "!tty_tickets" - } - }, - { - "match_phrase": { - "process.command_line.text": "var/spool/cron" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl daemon-reload" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw mod user" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw unlock" - } - }, - { - "match_phrase": { - "process.command_line.text": "chmod u+s" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo setcap cap_setuid" - } - }, - { - "match_phrase": { - "process.command_line.text": "su nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo */root/" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*etc/sudoers" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*visudo" - } - }, - { - "match_phrase": { - "process.command_line.text": "etc/cron.*/" - } - }, - { - "match_phrase": { - "process.command_line.text": "trap*SIGINT" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*2000" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*4000" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl start*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl enable*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bashrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.shrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_logout" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/rc." - } - } - ] - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent", - "elasticsearch-users", - "elastic-agent.exe", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - }, - { - "terms": { - "process.command_line.text": [ - "elastic-agent", - "elasticsearch" - ] - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_linux_rare_process_executed_by_user", - "job_id": "pad_linux_rare_process_executed_by_user", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_linux_rare_process_executed_by_user", - "query": { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "linux", - "Linux" - ] - } - }, - { - "term": { - "event.category": "process" - } - }, - { - "terms": { - "event.type": [ - "start", - "change" - ] - } - }, - { - "bool": { - "should": [ - { - "match_phrase": { - "process.command_line.text": "LD_PRELOAD" - } - }, - { - "match_phrase": { - "process.command_line.text": "/etc/ld.so.preload" - } - }, - { - "match_phrase": { - "process.command_line.text": "/root/.ssh/authorized_keys" - } - }, - { - "match_phrase": { - "process.command_line.text": "timestamp_timeout=-1" - } - }, - { - "match_phrase": { - "process.command_line.text": "!tty_tickets" - } - }, - { - "match_phrase": { - "process.command_line.text": "var/spool/cron" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl daemon-reload" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw mod user" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw unlock" - } - }, - { - "match_phrase": { - "process.command_line.text": "chmod u+s" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo setcap cap_setuid" - } - }, - { - "match_phrase": { - "process.command_line.text": "su nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo */root/" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*etc/sudoers" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*visudo" - } - }, - { - "match_phrase": { - "process.command_line.text": "etc/cron.*/" - } - }, - { - "match_phrase": { - "process.command_line.text": "trap*SIGINT" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*2000" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*4000" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl start*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl enable*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bashrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.shrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_logout" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/rc." - } - } - ] - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent", - "elasticsearch-users", - "elastic-agent.exe", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - }, - { - "terms": { - "process.command_line.text": [ - "elastic-agent", - "elasticsearch" - ] - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_linux_high_median_process_command_line_entropy_by_user", - "job_id": "pad_linux_high_median_process_command_line_entropy_by_user", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_linux_high_median_process_command_line_entropy_by_user", - "query": { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "linux", - "Linux" - ] - } - }, - { - "term": { - "event.category": "process" - } - }, - { - "terms": { - "event.type": [ - "start", - "change" - ] - } - }, - { - "bool": { - "should": [ - { - "match_phrase": { - "process.command_line.text": "LD_PRELOAD" - } - }, - { - "match_phrase": { - "process.command_line.text": "/etc/ld.so.preload" - } - }, - { - "match_phrase": { - "process.command_line.text": "/root/.ssh/authorized_keys" - } - }, - { - "match_phrase": { - "process.command_line.text": "timestamp_timeout=-1" - } - }, - { - "match_phrase": { - "process.command_line.text": "!tty_tickets" - } - }, - { - "match_phrase": { - "process.command_line.text": "var/spool/cron" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl daemon-reload" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw mod user" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw unlock" - } - }, - { - "match_phrase": { - "process.command_line.text": "chmod u+s" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo setcap cap_setuid" - } - }, - { - "match_phrase": { - "process.command_line.text": "su nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo */root/" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*etc/sudoers" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*visudo" - } - }, - { - "match_phrase": { - "process.command_line.text": "etc/cron.*/" - } - }, - { - "match_phrase": { - "process.command_line.text": "trap*SIGINT" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*2000" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*4000" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl start*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl enable*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bashrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.shrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_logout" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/rc." - } - } - ] - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent", - "elasticsearch-users", - "elastic-agent.exe", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - }, - { - "terms": { - "process.command_line.text": [ - "elastic-agent", - "elasticsearch" - ] - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_okta_spike_in_group_membership_changes", - "job_id": "pad_okta_spike_in_group_membership_changes", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_group_membership_changes", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": ["group.user_membership.add", "group.user_membership.remove"] - } } - ] - } + } + ] } } - }, - { - "id": "datafeed-pad_okta_spike_in_user_lifecycle_management_changes", - "job_id": "pad_okta_spike_in_user_lifecycle_management_changes", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_user_lifecycle_management_changes", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": [ - "user.lifecycle.activate", - "user.lifecycle.deactivate", - "user.lifecycle.suspend", - "user.lifecycle.unsuspend", - "user.lifecycle.create", - "user.lifecycle.update" - ] - } + } + }, + { + "id": "datafeed-pad_okta_high_sum_concurrent_sessions_by_user", + "job_id": "pad_okta_high_sum_concurrent_sessions_by_user", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_high_sum_concurrent_sessions_by_user", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.user.name" } - ] - } - } - } - }, + }, { - "id": "datafeed-pad_okta_spike_in_group_privilege_changes", - "job_id": "pad_okta_spike_in_group_privilege_changes", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_group_privilege_changes", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": ["group.privilege.grant", "group.privilege.revoke"] - } + "exists": { + "field": "okta_distinct_ips" } - ] - } - } - } - }, + }, { - "id": "datafeed-pad_okta_spike_in_group_application_assignment_changes", - "job_id": "pad_okta_spike_in_group_application_assignment_changes", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_group_application_assignment_changes", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": ["group.application_assignment.add", "group.application_assignment.remove"] + "range": { + "okta_distinct_ips": { + "gte": 2 } } - ] - } - } - } - }, - { - "id": "datafeed-pad_okta_spike_in_group_lifecycle_changes", - "job_id": "pad_okta_spike_in_group_lifecycle_changes", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_group_lifecycle_changes", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": ["group.lifecycle.create", "group.lifecycle.delete"] + }, + { + "range": { + "okta_distinct_countries": { + "gte": 2 } } - ] - } - } - } - }, - { - "id": "datafeed-pad_okta_high_sum_concurrent_sessions_by_user", - "job_id": "pad_okta_high_sum_concurrent_sessions_by_user", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_high_sum_concurrent_sessions_by_user", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.user.name" - } - }, - { - "exists": { - "field": "okta_distinct_ips" - } - }, - { - "range": { - "okta_distinct_ips": { - "gte": 2 - } - } - }, - { - "range": { - "okta_distinct_countries": { - "gte": 2 - } - } - }, - { - "term": { - "okta_session_info.has_end_event": 0 - } - } - ] + }, + { + "term": { + "okta_session_info.has_end_event": 0 + } } - } + ] + } } - }, - { - "id": "datafeed-pad_okta_rare_source_ip_by_user", + } + }, + { + "id": "datafeed-pad_okta_rare_source_ip_by_user", + "job_id": "pad_okta_rare_source_ip_by_user", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], "job_id": "pad_okta_rare_source_ip_by_user", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_rare_source_ip_by_user", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "exists": { - "field": "source.ip" - } - }, - { - "terms": { - "okta.event_type": [ - "group.lifecycle.create", - "group.lifecycle.delete", - "group.user_membership.add", - "group.user_membership.remove", - "user.lifecycle.activate", - "user.lifecycle.deactivate", - "user.lifecycle.suspend", - "user.lifecycle.unsuspend", - "user.lifecycle.create", - "user.lifecycle.update", - "group.privilege.grant", - "group.privilege.revoke", - "group.application_assignment.add", - "group.application_assignment.remove"] - } + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" } - ] - } + }, + { + "exists": { + "field": "source.ip" + } + }, + { + "terms": { + "okta.event_type": [ + "group.lifecycle.create", + "group.lifecycle.delete", + "group.user_membership.add", + "group.user_membership.remove", + "user.lifecycle.activate", + "user.lifecycle.deactivate", + "user.lifecycle.suspend", + "user.lifecycle.unsuspend", + "user.lifecycle.create", + "user.lifecycle.update", + "group.privilege.grant", + "group.privilege.revoke", + "group.application_assignment.add", + "group.application_assignment.remove" + ] + } + } + ] } } - }, - { - "id": "datafeed-pad_okta_rare_region_name_by_user", + } + }, + { + "id": "datafeed-pad_okta_rare_region_name_by_user", + "job_id": "pad_okta_rare_region_name_by_user", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], "job_id": "pad_okta_rare_region_name_by_user", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_rare_region_name_by_user", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "exists": { - "field": "client.geo.region_name" - } - }, - { - "terms": { - "okta.event_type": [ - "group.lifecycle.create", - "group.lifecycle.delete", - "group.user_membership.add", - "group.user_membership.remove", - "user.lifecycle.activate", - "user.lifecycle.deactivate", - "user.lifecycle.suspend", - "user.lifecycle.unsuspend", - "user.lifecycle.create", - "user.lifecycle.update", - "group.privilege.grant", - "group.privilege.revoke", - "group.application_assignment.add", - "group.application_assignment.remove"] - } + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" } - ] - } + }, + { + "exists": { + "field": "client.geo.region_name" + } + }, + { + "terms": { + "okta.event_type": [ + "group.lifecycle.create", + "group.lifecycle.delete", + "group.user_membership.add", + "group.user_membership.remove", + "user.lifecycle.activate", + "user.lifecycle.deactivate", + "user.lifecycle.suspend", + "user.lifecycle.unsuspend", + "user.lifecycle.create", + "user.lifecycle.update", + "group.privilege.grant", + "group.privilege.revoke", + "group.application_assignment.add", + "group.application_assignment.remove" + ] + } + } + ] } } - }, - { - "id": "datafeed-pad_okta_rare_host_name_by_user", + } + }, + { + "id": "datafeed-pad_okta_rare_host_name_by_user", + "job_id": "pad_okta_rare_host_name_by_user", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], "job_id": "pad_okta_rare_host_name_by_user", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_rare_host_name_by_user", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "exists": { - "field": "agent.name" - } - }, - { - "terms": { - "okta.event_type": [ - "group.lifecycle.create", - "group.lifecycle.delete", - "group.user_membership.add", - "group.user_membership.remove", - "user.lifecycle.activate", - "user.lifecycle.deactivate", - "user.lifecycle.suspend", - "user.lifecycle.unsuspend", - "user.lifecycle.create", - "user.lifecycle.update", - "group.privilege.grant", - "group.privilege.revoke", - "group.application_assignment.add", - "group.application_assignment.remove"] - } + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" } - ] - } + }, + { + "exists": { + "field": "agent.name" + } + }, + { + "terms": { + "okta.event_type": [ + "group.lifecycle.create", + "group.lifecycle.delete", + "group.user_membership.add", + "group.user_membership.remove", + "user.lifecycle.activate", + "user.lifecycle.deactivate", + "user.lifecycle.suspend", + "user.lifecycle.unsuspend", + "user.lifecycle.create", + "user.lifecycle.update", + "group.privilege.grant", + "group.privilege.revoke", + "group.application_assignment.add", + "group.application_assignment.remove" + ] + } + } + ] } } } - ] - }, - "id": "pad-ml", - "migrationVersion": { - "search": "7.16.0" - }, - "references": [], - "type": "ml-module" -} \ No newline at end of file + } + ] + }, + "id": "pad-ml", + "migrationVersion": { + "search": "7.16.0" + }, + "references": [], + "type": "ml-module" +} diff --git a/packages/problemchild/kibana/ml_module/problemchild-ml.json b/packages/problemchild/kibana/ml_module/problemchild-ml.json index f78cd91dcb6..d931349e597 100644 --- a/packages/problemchild/kibana/ml_module/problemchild-ml.json +++ b/packages/problemchild/kibana/ml_module/problemchild-ml.json @@ -1,561 +1,645 @@ { - "attributes": { - "id": "problemchild-ml", - "title": "Living off the Land Attack Detection", - "description": "Detects potential living off the land activity by identifying malicious processes.", - "type": "ProblemChild", - "logo": { - "icon": "machineLearningApp" - }, - "query": { + "attributes": { + "id": "problemchild-ml", + "title": "Living off the Land Attack Detection", + "description": "Detects potential living off the land activity by identifying malicious processes.", + "type": "ProblemChild", + "logo": { + "icon": "machineLearningApp" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "exists": { + "field": "problemchild.prediction" + } + }, + { + "exists": { + "field": "blocklist_label" + } + } + ], + "must_not": { + "terms": { + "_tier": [ + "data_frozen", + "data_cold" + ] + } + } + } + }, + "jobs": [ + { + "id": "problem_child_rare_process_by_host_euid", + "config": { + "groups": [ + "living_off_the_land", + "security" + ], + "description": "Looks for a process that has been classified as malicious on a host that does not commonly manifest malicious process activity.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "by_field_name": "process.name", + "detector_description": "rare process given a host", + "detector_index": 0, + "function": "rare", + "partition_field_name": "host.name" + } + ], + "influencers": [ + "process.name", + "host.entity.id_computed", + "user.entity.id_computed", + "process.command_line", + "user.name", + "host.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-problem-child" + } + } + }, + { + "id": "problem_child_high_sum_by_host_euid", + "config": { + "groups": [ + "living_off_the_land", + "security" + ], + "description": "Looks for hosts with one or more potentially malicious child processes.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "by_field_name": "host.name", + "detector_description": "high sum of model hits by host", + "detector_index": 0, + "field_name": "problemchild.prediction_probability", + "function": "high_sum" + }, + { + "by_field_name": "host.name", + "detector_description": "high sum of blocklist hits by host", + "detector_index": 0, + "field_name": "blocklist_label", + "function": "high_sum" + } + ], + "influencers": [ + "process.name", + "host.entity.id_computed", + "user.entity.id_computed", + "process.command_line", + "user.name", + "host.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-problem-child" + } + } + }, + { + "id": "problem_child_rare_process_by_user_euid", + "config": { + "groups": [ + "living_off_the_land", + "security" + ], + "description": "Looks for a process that has been classified as malicious where the user context is unusual and does not commonly manifest malicious process activity.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "by_field_name": "process.name", + "detector_description": "rare process given a user", + "detector_index": 0, + "function": "rare", + "partition_field_name": "user.name" + } + ], + "influencers": [ + "process.name", + "user.entity.id_computed", + "host.entity.id_computed", + "process.command_line", + "user.name", + "host.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-problem-child" + } + } + }, + { + "id": "problem_child_rare_process_by_parent_euid", + "config": { + "groups": [ + "living_off_the_land", + "security" + ], + "description": "Looks for rare malicious child processes spawned by a parent process.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "by_field_name": "process.name", + "detector_description": "rare process given a parent process", + "detector_index": 0, + "function": "rare", + "partition_field_name": "process.parent.name" + } + ], + "influencers": [ + "process.name", + "process.parent.name", + "process.command_line", + "host.entity.id_computed", + "user.entity.id_computed", + "user.name", + "host.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-problem-child" + } + } + }, + { + "id": "problem_child_high_sum_by_user_euid", + "config": { + "groups": [ + "living_off_the_land", + "security" + ], + "description": "Looks for users with one or more potentially malicious child processes.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "by_field_name": "user.name", + "detector_description": "high sum of model hits by user", + "detector_index": 0, + "field_name": "problemchild.prediction_probability", + "function": "high_sum" + }, + { + "by_field_name": "user.name", + "detector_description": "high sum of blocklist hits by user", + "detector_index": 0, + "field_name": "blocklist_label", + "function": "high_sum" + } + ], + "influencers": [ + "process.name", + "user.entity.id_computed", + "host.entity.id_computed", + "process.command_line", + "user.name", + "host.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-problem-child" + } + } + }, + { + "id": "problem_child_high_sum_by_parent_euid", + "config": { + "groups": [ + "living_off_the_land", + "security" + ], + "description": "Looks for parent process names with one or more potentially malicious child processes.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "by_field_name": "process.parent.name", + "detector_description": "high sum of model hits by parent process", + "detector_index": 0, + "field_name": "problemchild.prediction_probability", + "function": "high_sum" + }, + { + "by_field_name": "process.parent.name", + "detector_description": "high sum of blocklist hits by parent process", + "detector_index": 0, + "field_name": "blocklist_label", + "function": "high_sum" + } + ], + "influencers": [ + "process.name", + "process.parent.name", + "process.command_line", + "host.entity.id_computed", + "user.entity.id_computed", + "user.name", + "host.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-problem-child" + } + } + } + ], + "datafeeds": [ + { + "id": "datafeed-problem_child_rare_process_by_host_euid", + "job_id": "problem_child_rare_process_by_host_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "problem_child_rare_process_by_host_euid", + "query": { "bool": { - "minimum_should_match": 1, - "should": [ - { - "exists": { - "field": "problemchild.prediction" - } - }, - { - "exists": { - "field": "blocklist_label" - } - } - ], - "must_not": { - "terms": { - "_tier": [ - "data_frozen", - "data_cold" - ] - } + "minimum_should_match": 1, + "should": [ + { + "match": { + "problemchild.prediction": 1 + } + }, + { + "match": { + "blocklist_label": 1 + } } - } - }, - "jobs": [ - { - "id": "problem_child_rare_process_by_host", - "config": { - "groups": [ - "living_off_the_land", - "security" - ], - "description": "Looks for a process that has been classified as malicious on a host that does not commonly manifest malicious process activity.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "by_field_name": "process.name", - "detector_description": "rare process given a host", - "detector_index": 0, - "function": "rare", - "partition_field_name": "host.name" - } - ], - "influencers": [ - "process.name", - "host.name", - "user.name", - "process.command_line" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-problem-child" - } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "elastic-endpoint.exe", + "elastic-endpoint", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } }, - { - "id": "problem_child_high_sum_by_host", - "config": { - "groups": [ - "living_off_the_land", - "security" - ], - "description": "Looks for hosts with one or more potentially malicious child processes.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "by_field_name": "host.name", - "detector_description": "high sum of model hits by host", - "detector_index": 0, - "field_name": "problemchild.prediction_probability", - "function": "high_sum" - }, - { - "by_field_name": "host.name", - "detector_description": "high sum of blocklist hits by host", - "detector_index": 0, - "field_name": "blocklist_label", - "function": "high_sum" - } - ], - "influencers": [ - "process.name", - "host.name", - "user.name", - "process.command_line" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-problem-child" - } + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + }, + { + "id": "datafeed-problem_child_high_sum_by_host_euid", + "job_id": "problem_child_high_sum_by_host_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "problem_child_high_sum_by_host_euid", + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match": { + "problemchild.prediction": 1 + } + }, + { + "match": { + "blocklist_label": 1 + } } - }, - { - "id": "problem_child_rare_process_by_user", - "config": { - "groups": [ - "living_off_the_land", - "security" - ], - "description": "Looks for a process that has been classified as malicious where the user context is unusual and does not commonly manifest malicious process activity.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "by_field_name": "process.name", - "detector_description": "rare process given a user", - "detector_index": 0, - "function": "rare", - "partition_field_name": "user.name" - } - ], - "influencers": [ - "process.name", - "user.name", - "host.name", - "process.command_line" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-problem-child" - } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "elastic-endpoint.exe", + "elastic-endpoint", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } }, - { - "id": "problem_child_rare_process_by_parent", - "config": { - "groups": [ - "living_off_the_land", - "security" - ], - "description": "Looks for rare malicious child processes spawned by a parent process.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "by_field_name": "process.name", - "detector_description": "rare process given a parent process", - "detector_index": 0, - "function": "rare", - "partition_field_name": "process.parent.name" - } - ], - "influencers": [ - "process.name", - "process.parent.name", - "process.command_line", - "host.name", - "user.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-problem-child" - } + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + }, + { + "id": "datafeed-problem_child_rare_process_by_user_euid", + "job_id": "problem_child_rare_process_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "problem_child_rare_process_by_user_euid", + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match": { + "problemchild.prediction": 1 + } + }, + { + "match": { + "blocklist_label": 1 + } } - }, - { - "id": "problem_child_high_sum_by_user", - "config": { - "groups": [ - "living_off_the_land", - "security" - ], - "description": "Looks for users with one or more potentially malicious child processes.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "by_field_name": "user.name", - "detector_description": "high sum of model hits by user", - "detector_index": 0, - "field_name": "problemchild.prediction_probability", - "function": "high_sum" - }, - { - "by_field_name": "user.name", - "detector_description": "high sum of blocklist hits by user", - "detector_index": 0, - "field_name": "blocklist_label", - "function": "high_sum" - } - ], - "influencers": [ - "process.name", - "user.name", - "host.name", - "process.command_line" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-problem-child" - } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "elastic-endpoint.exe", + "elastic-endpoint", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } }, - { - "id": "problem_child_high_sum_by_parent", - "config": { - "groups": [ - "living_off_the_land", - "security" - ], - "description": "Looks for parent process names with one or more potentially malicious child processes.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "by_field_name": "process.parent.name", - "detector_description": "high sum of model hits by parent process", - "detector_index": 0, - "field_name": "problemchild.prediction_probability", - "function": "high_sum" - }, - { - "by_field_name": "process.parent.name", - "detector_description": "high sum of blocklist hits by parent process", - "detector_index": 0, - "field_name": "blocklist_label", - "function": "high_sum" - } - ], - "influencers": [ - "process.name", - "process.parent.name", - "process.command_line", - "host.name", - "user.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-problem-child" - } - } + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } } - ], - "datafeeds": [ - { - "id": "datafeed-problem_child_rare_process_by_host", - "job_id": "problem_child_rare_process_by_host", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "problem_child_rare_process_by_host", - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match": { - "problemchild.prediction": 1 - } - }, - { - "match": { - "blocklist_label": 1 - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "elastic-endpoint.exe", - "elastic-endpoint", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - } + } + } + }, + { + "id": "datafeed-problem_child_rare_process_by_parent_euid", + "job_id": "problem_child_rare_process_by_parent_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "problem_child_rare_process_by_parent_euid", + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match": { + "problemchild.prediction": 1 + } + }, + { + "match": { + "blocklist_label": 1 + } } - }, - { - "id": "datafeed-problem_child_high_sum_by_host", - "job_id": "problem_child_high_sum_by_host", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "problem_child_high_sum_by_host", - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match": { - "problemchild.prediction": 1 - } - }, - { - "match": { - "blocklist_label": 1 - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "elastic-endpoint.exe", - "elastic-endpoint", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "elastic-endpoint.exe", + "elastic-endpoint", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } }, - { - "id": "datafeed-problem_child_rare_process_by_user", - "job_id": "problem_child_rare_process_by_user", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "problem_child_rare_process_by_user", - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match": { - "problemchild.prediction": 1 - } - }, - { - "match": { - "blocklist_label": 1 - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "elastic-endpoint.exe", - "elastic-endpoint", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - } + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + }, + { + "id": "datafeed-problem_child_high_sum_by_user_euid", + "job_id": "problem_child_high_sum_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "problem_child_high_sum_by_user_euid", + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match": { + "problemchild.prediction": 1 + } + }, + { + "match": { + "blocklist_label": 1 + } } - }, - { - "id": "datafeed-problem_child_rare_process_by_parent", - "job_id": "problem_child_rare_process_by_parent", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "problem_child_rare_process_by_parent", - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match": { - "problemchild.prediction": 1 - } - }, - { - "match": { - "blocklist_label": 1 - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "elastic-endpoint.exe", - "elastic-endpoint", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "elastic-endpoint.exe", + "elastic-endpoint", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } }, - { - "id": "datafeed-problem_child_high_sum_by_user", - "job_id": "problem_child_high_sum_by_user", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "problem_child_high_sum_by_user", - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match": { - "problemchild.prediction": 1 - } - }, - { - "match": { - "blocklist_label": 1 - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "elastic-endpoint.exe", - "elastic-endpoint", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - } + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + }, + { + "id": "datafeed-problem_child_high_sum_by_parent_euid", + "job_id": "problem_child_high_sum_by_parent_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "problem_child_high_sum_by_parent_euid", + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match": { + "problemchild.prediction": 1 + } + }, + { + "match": { + "blocklist_label": 1 + } } - }, - { - "id": "datafeed-problem_child_high_sum_by_parent", - "job_id": "problem_child_high_sum_by_parent", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "problem_child_high_sum_by_parent", - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match": { - "problemchild.prediction": 1 - } - }, - { - "match": { - "blocklist_label": 1 - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "elastic-endpoint.exe", - "elastic-endpoint", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "elastic-endpoint.exe", + "elastic-endpoint", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } } + ] } - ] - }, - "id": "problemchild-ml", - "migrationVersion": { - "search": "7.16.0" - }, - "references": [], - "type": "ml-module" -} \ No newline at end of file + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + } + ] + }, + "id": "problemchild-ml", + "migrationVersion": { + "search": "7.16.0" + }, + "references": [], + "type": "ml-module" +}