-
Notifications
You must be signed in to change notification settings - Fork 8.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Detection Rules] Add 7.9 rules (#71808)
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
- Loading branch information
1 parent
25d143f
commit a282af7
Showing
29 changed files
with
189 additions
and
30 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
29 changes: 29 additions & 0 deletions
29
...erver/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_error_message_spike.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| { | ||
| "anomaly_threshold": 50, | ||
| "author": [ | ||
| "Elastic" | ||
| ], | ||
| "description": "A machine learning job detected a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery.", | ||
| "false_positives": [ | ||
| "Spikes in error message activity can also be due to bugs in cloud automation scripts or workflows; changes to cloud automation scripts or workflows; adoption of new services; changes in the way services are used; or changes to IAM privileges." | ||
| ], | ||
| "from": "now-60m", | ||
| "interval": "15m", | ||
| "license": "Elastic License", | ||
| "machine_learning_job_id": "high_distinct_count_error_message", | ||
| "name": "Spike in AWS Error Messages", | ||
| "note": "### Investigating Spikes in CloudTrail Errors ###\nDetection alerts from this rule indicate a large spike in the number of CloudTrail log messages that contain a particular error message. The error message in question was associated with the response to an AWS API command or method call. Here are some possible avenues of investigation:\n- Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_message` field, manifested only very recently, it might be related to recent changes in an automation module or script.\n- Examine the request parameters. These may provide indications as to the nature of the task being performed when the error occurred. Is the error related to unsuccessful attempts to enumerate or access objects, data or secrets? If so, this can sometimes be a byproduct of discovery, privilege escalation or lateral movement attempts.\n- Consider the user as identified by the user.name field. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?", | ||
| "references": [ | ||
| "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" | ||
| ], | ||
| "risk_score": 21, | ||
| "rule_id": "78d3d8d9-b476-451d-a9e0-7a5addd70670", | ||
| "severity": "low", | ||
| "tags": [ | ||
| "AWS", | ||
| "Elastic", | ||
| "ML" | ||
| ], | ||
| "type": "machine_learning", | ||
| "version": 1 | ||
| } |
29 changes: 29 additions & 0 deletions
29
...on/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_error_code.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| { | ||
| "anomaly_threshold": 50, | ||
| "author": [ | ||
| "Elastic" | ||
| ], | ||
| "description": "A machine learning job detected an unusual error in a CloudTrail message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.", | ||
| "false_positives": [ | ||
| "Rare and unusual errors may indicate an impending service failure state. Rare and unusual user error activity can also be due to manual troubleshooting or reconfiguration attempts by insufficiently privileged users, bugs in cloud automation scripts or workflows, or changes to IAM privileges." | ||
| ], | ||
| "from": "now-60m", | ||
| "interval": "15m", | ||
| "license": "Elastic License", | ||
| "machine_learning_job_id": "rare_error_code", | ||
| "name": "Rare AWS Error Code", | ||
| "note": "### Investigating Unusual CloudTrail Error Activity ###\nDetection alerts from this rule indicate a rare and unusual error code that was associated with the response to an AWS API command or method call. Here are some possible avenues of investigation:\n- Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_code field`, manifested only very recently, it might be related to recent changes in an automation module or script.\n- Examine the request parameters. These may provide indications as to the nature of the task being performed when the error occurred. Is the error related to unsuccessful attempts to enumerate or access objects, data, or secrets? If so, this can sometimes be a byproduct of discovery, privilege escalation, or lateral movement attempts.\n- Consider the user as identified by the `user.name` field. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?", | ||
| "references": [ | ||
| "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" | ||
| ], | ||
| "risk_score": 21, | ||
| "rule_id": "19de8096-e2b0-4bd8-80c9-34a820813fff", | ||
| "severity": "low", | ||
| "tags": [ | ||
| "AWS", | ||
| "Elastic", | ||
| "ML" | ||
| ], | ||
| "type": "machine_learning", | ||
| "version": 1 | ||
| } |
29 changes: 29 additions & 0 deletions
29
...erver/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_method_by_city.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| { | ||
| "anomaly_threshold": 50, | ||
| "author": [ | ||
| "Elastic" | ||
| ], | ||
| "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography then the authorized user(s).", | ||
| "false_positives": [ | ||
| "New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently." | ||
| ], | ||
| "from": "now-60m", | ||
| "interval": "15m", | ||
| "license": "Elastic License", | ||
| "machine_learning_job_id": "rare_method_for_a_city", | ||
| "name": "Unusual City For an AWS Command", | ||
| "note": "### Investigating an Unusual CloudTrail Event ###\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address. Here are some possible avenues of investigation:\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, manifested only very recently, it might be part of a new automation module or script. If it has a consistent cadence - for example, if it appears in small numbers on a weekly or monthly cadence it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.", | ||
| "references": [ | ||
| "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" | ||
| ], | ||
| "risk_score": 21, | ||
| "rule_id": "809b70d3-e2c3-455e-af1b-2626a5a1a276", | ||
| "severity": "low", | ||
| "tags": [ | ||
| "AWS", | ||
| "Elastic", | ||
| "ML" | ||
| ], | ||
| "type": "machine_learning", | ||
| "version": 1 | ||
| } |
29 changes: 29 additions & 0 deletions
29
...er/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_method_by_country.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| { | ||
| "anomaly_threshold": 50, | ||
| "author": [ | ||
| "Elastic" | ||
| ], | ||
| "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography then the authorized user(s).", | ||
| "false_positives": [ | ||
| "New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently." | ||
| ], | ||
| "from": "now-60m", | ||
| "interval": "15m", | ||
| "license": "Elastic License", | ||
| "machine_learning_job_id": "rare_method_for_a_country", | ||
| "name": "Unusual Country For an AWS Command", | ||
| "note": "### Investigating an Unusual CloudTrail Event ###\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address. Here are some possible avenues of investigation:\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, manifested only very recently, it might be part of a new automation module or script. If it has a consistent cadence - for example, if it appears in small numbers on a weekly or monthly cadence it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.", | ||
| "references": [ | ||
| "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" | ||
| ], | ||
| "risk_score": 21, | ||
| "rule_id": "dca28dee-c999-400f-b640-50a081cc0fd1", | ||
| "severity": "low", | ||
| "tags": [ | ||
| "AWS", | ||
| "Elastic", | ||
| "ML" | ||
| ], | ||
| "type": "machine_learning", | ||
| "version": 1 | ||
| } |
29 changes: 29 additions & 0 deletions
29
...erver/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_method_by_user.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| { | ||
| "anomaly_threshold": 75, | ||
| "author": [ | ||
| "Elastic" | ||
| ], | ||
| "description": "A machine learning job detected an AWS API command that, while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfil data.", | ||
| "false_positives": [ | ||
| "New or unusual user command activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; or changes in the way services are used." | ||
| ], | ||
| "from": "now-60m", | ||
| "interval": "15m", | ||
| "license": "Elastic License", | ||
| "machine_learning_job_id": "rare_method_for_a_username", | ||
| "name": "Unusual AWS Command for a User", | ||
| "note": "### Investigating an Unusual CloudTrail Event ###\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the calling IAM user. Here are some possible avenues of investigation:\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, manifested only very recently, it might be part of a new automation module or script. If it has a consistent cadence - for example, if it appears in small numbers on a weekly or monthly cadence it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.", | ||
| "references": [ | ||
| "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" | ||
| ], | ||
| "risk_score": 21, | ||
| "rule_id": "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1", | ||
| "severity": "low", | ||
| "tags": [ | ||
| "AWS", | ||
| "Elastic", | ||
| "ML" | ||
| ], | ||
| "type": "machine_learning", | ||
| "version": 1 | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.