From 56ba6bdbc07940b58db84d1c9fd3231b7679ca0a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Istv=C3=A1n=20Zolt=C3=A1n=20Szab=C3=B3?= Date: Mon, 16 Oct 2023 18:14:36 +0200 Subject: [PATCH] Fixes URLs in OOTB security jobs and updates job IDs (#2563) (cherry picked from commit 0d20ee9ba96b46aba7dfd548b99092cbd44dc9aa) --- .../ootb-ml-jobs-siem.asciidoc | 139 +++++++----------- 1 file changed, 56 insertions(+), 83 deletions(-) diff --git a/docs/en/stack/ml/anomaly-detection/ootb-ml-jobs-siem.asciidoc b/docs/en/stack/ml/anomaly-detection/ootb-ml-jobs-siem.asciidoc index 5b972df0d..d770692f9 100644 --- a/docs/en/stack/ml/anomaly-detection/ootb-ml-jobs-siem.asciidoc +++ b/docs/en/stack/ml/anomaly-detection/ootb-ml-jobs-siem.asciidoc @@ -389,9 +389,13 @@ they are listed for each job. [[security-integrations-jobs]] == Security: Elastic Integrations -https://docs.elastic.co/integrations[Elastic Integrations] are a streamlined way to add Elastic assets to your environment, such as data ingestion, {transforms}, and in this case, {ml} capabilities for Security. +https://docs.elastic.co/integrations[Elastic Integrations] are a streamlined way +to add Elastic assets to your environment, such as data ingestion, {transforms}, +and in this case, {ml} capabilities for Security. -The following Integrations use {ml} to analyze patterns of user and entity behavior, and help detect and alert when there is related suspicious activity in your environment. +The following Integrations use {ml} to analyze patterns of user and entity +behavior, and help detect and alert when there is related suspicious activity in +your environment. * https://docs.elastic.co/integrations/ded[Data Exfiltration Detection] * https://docs.elastic.co/integrations/dga[Domain Generation Algorithm Detection] @@ -402,63 +406,59 @@ The following Integrations use {ml} to analyze patterns of user and entity behav *Domain Generation Algorithm (DGA) Detection* -{ml-cap} solution package to detect domain generation algorithm (DGA) activity in your network data. Refer to the {subscriptions}[subscription page] to learn more about the required subscription. +{ml-cap} solution package to detect domain generation algorithm (DGA) activity +in your network data. Refer to the {subscriptions}[subscription page] to learn +more about the required subscription. To download, refer to the https://docs.elastic.co/integrations/dga[documentation]. |=== -|Name |Description |Job |Datafeed +|Name |Description |dga_high_sum_probability |Detect domain generation algorithm (DGA) activity in your network data. -|https://github.com/elastic/integrations/blob/{branch}/packages/dga/kibana/ml_module/dga-ml.json#L23[image:images/link.svg[A link icon]] -|https://github.com/elastic/integrations/blob/{branch}/packages/dga/kibana/ml_module/dga-ml.json#L58[image:images/link.svg[A link icon]] |=== +The job configurations and datafeeds can be found +https://github.com/elastic/integrations/blob/main/packages/dga/kibana/ml_module/dga-ml.json[here]. + // LotL *Living off the Land Attack (LotL) Detection* -{ml-cap} solution package to detect Living off the Land (LotL) attacks in your environment. Refer to the {subscriptions}[subscription page] to learn more about the required subscription. (Also known as ProblemChild). +{ml-cap} solution package to detect Living off the Land (LotL) attacks in your +environment. Refer to the {subscriptions}[subscription page] to learn more about +the required subscription. (Also known as ProblemChild). To download, refer to the https://docs.elastic.co/integrations/problemchild[documentation]. |=== -|Name |Description |Job |Datafeed +|Name |Description |problem_child_rare_process_by_host -|Looks for a process that has been classified as malicious on a host that does not commonly manifest malicious process activity (experimental). -|https://github.com/elastic/integrations/blob/{branch}/packages/problemchild/kibana/ml_module/problemchild-ml.json#L29[image:images/link.svg[A link icon]] -|https://github.com/elastic/integrations/blob/{branch}/packages/problemchild/kibana/ml_module/problemchild-ml.json#262[image:images/link.svg[A link icon]] +|Looks for a process that has been classified as malicious on a host that does not commonly manifest malicious process activity. |problem_child_high_sum_by_host -|Looks for a set of one or more malicious child processes on a single host (experimental). -|https://github.com/elastic/integrations/blob/{branch}/packages/problemchild/kibana/ml_module/problemchild-ml.json#L64[image:images/link.svg[A link icon]] -|https://github.com/elastic/integrations/blob/{branch}/packages/problemchild/kibana/ml_module/problemchild-ml.json#262[image:images/link.svg[A link icon]] +|Looks for a set of one or more malicious child processes on a single host. |problem_child_rare_process_by_user -|Looks for a process that has been classified as malicious where the user context is unusual and does not commonly manifest malicious process activity (experimental). -|https://github.com/elastic/integrations/blob/{branch}/packages/problemchild/kibana/ml_module/problemchild-ml.json#L106[image:images/link.svg[A link icon]] -|https://github.com/elastic/integrations/blob/{branch}/packages/problemchild/kibana/ml_module/problemchild-ml.json#262[image:images/link.svg[A link icon]] +|Looks for a process that has been classified as malicious where the user context is unusual and does not commonly manifest malicious process activity. |problem_child_rare_process_by_parent -|Looks for rare malicious child processes spawned by a parent process (experimental). -|https://github.com/elastic/integrations/blob/{branch}/packages/problemchild/kibana/ml_module/problemchild-ml.json#L141[image:images/link.svg[A link icon]] -|https://github.com/elastic/integrations/blob/{branch}/packages/problemchild/kibana/ml_module/problemchild-ml.json#262[image:images/link.svg[A link icon]] +|Looks for rare malicious child processes spawned by a parent process. |problem_child_high_sum_by_user -|Looks for a set of one or more malicious processes, started by the same user (experimental). -|https://github.com/elastic/integrations/blob/{branch}/packages/problemchild/kibana/ml_module/problemchild-ml.json#L177[image:images/link.svg[A link icon]] -|https://github.com/elastic/integrations/blob/{branch}/packages/problemchild/kibana/ml_module/problemchild-ml.json#262[image:images/link.svg[A link icon]] +|Looks for a set of one or more malicious processes, started by the same user. |problem_child_high_sum_by_parent -|Looks for a set of one or more malicious child processes spawned by the same parent process (experimental). -|https://github.com/elastic/integrations/blob/{branch}/packages/problemchild/kibana/ml_module/problemchild-ml.json#L219[image:images/link.svg[A link icon]] -|https://github.com/elastic/integrations/blob/{branch}/packages/problemchild/kibana/ml_module/problemchild-ml.json#262[image:images/link.svg[A link icon]] +|Looks for a set of one or more malicious child processes spawned by the same parent process. |=== +The job configurations and datafeeds can be found +https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json[here]. + // ded *Data Exfiltration Detection (DED)* @@ -468,111 +468,84 @@ To download, refer to the https://docs.elastic.co/integrations/problemchild[docu To download, refer to the https://docs.elastic.co/integrations/ded[documentation]. |=== -|Name |Description |Job |Datafeed +|Name |Description -|high-sent-bytes-destination-geo-country_iso_code +|ded_high_sent_bytes_destination_geo_country_iso_code |Detects data exfiltration to an unusual geo-location (by country iso code). -|https://github.com/elastic/integrations/blob/{branch}/packages/ded/kibana/ml_module/ded-ml.json#L44[image:images/link.svg[A link icon]] -|https://github.com/elastic/integrations/blob/{branch}/packages/ded/kibana/ml_module/ded-ml.json#L304[image:images/link.svg[A link icon]] -|high-sent-bytes-destination-ip +|ded_high_sent_bytes_destination_ip |Detects data exfiltration to an unusual geo-location (by IP address). -|https://github.com/elastic/integrations/blob/{branch}/packages/ded/kibana/ml_module/ded-ml.json#L83[image:images/link.svg[A link icon]] -|https://github.com/elastic/integrations/blob/{branch}/packages/ded/kibana/ml_module/ded-ml.json#L304[image:images/link.svg[A link icon]] -|high-sent-bytes-destination-port +|ded_high_sent_bytes_destination_port |Detects data exfiltration to an unusual destination port. -|https://github.com/elastic/integrations/blob/{branch}/packages/ded/kibana/ml_module/ded-ml.json#L119[image:images/link.svg[A link icon]] -|https://github.com/elastic/integrations/blob/{branch}/packages/ded/kibana/ml_module/ded-ml.json#L304[image:images/link.svg[A link icon]] -|high-sent-bytes-destination-region_name +|ded_high_sent_bytes_destination_region_name |Detects data exfiltration to an unusual geo-location (by region name). -|https://github.com/elastic/integrations/blob/{branch}/packages/ded/kibana/ml_module/ded-ml.json#L156[image:images/link.svg[A link icon]] -|https://github.com/elastic/integrations/blob/{branch}/packages/ded/kibana/ml_module/ded-ml.json#L304[image:images/link.svg[A link icon]] -|high-bytes-written-to-external-device +|ded_high_bytes_written_to_external_device |Detects data exfiltration activity by identifying high bytes written to an external device. -|https://github.com/elastic/integrations/blob/{branch}/packages/ded/kibana/ml_module/ded-ml.json#L194[image:images/link.svg[A link icon]] -|https://github.com/elastic/integrations/blob/{branch}/packages/ded/kibana/ml_module/ded-ml.json#L304[image:images/link.svg[A link icon]] -|rare-process-writing-to-external-device +|ded_rare_process_writing_to_external_device |Detects data exfiltration activity by identifying a file write started by a rare process to an external device. -|https://github.com/elastic/integrations/blob/{branch}/packages/ded/kibana/ml_module/ded-ml.json#L231[image:images/link.svg[A link icon]] -|https://github.com/elastic/integrations/blob/{branch}/packages/ded/kibana/ml_module/ded-ml.json#L304[image:images/link.svg[A link icon]] -|high-bytes-written-to-external-device-airdrop +|ded_high_bytes_written_to_external_device_airdrop |Detects data exfiltration activity by identifying high bytes written to an external device via Airdrop. -|https://github.com/elastic/integrations/blob/{branch}/packages/ded/kibana/ml_module/ded-ml.json#L268[image:images/link.svg[A link icon]] -|https://github.com/elastic/integrations/blob/{branch}/packages/ded/kibana/ml_module/ded-ml.json#L304[image:images/link.svg[A link icon]] |=== +The job configurations and datafeeds can be found +https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json[here]. + // lmd *Lateral Movement Detection (LMD)* -{ml-cap} package to detect lateral movement based on file transfer activity and Windows RDP events. Refer to the {subscriptions}[subscription page] to learn more about the required subscription. +{ml-cap} package to detect lateral movement based on file transfer activity and +Windows RDP events. Refer to the {subscriptions}[subscription page] to learn +more about the required subscription. To download, refer to the https://docs.elastic.co/integrations/lmd[documentation]. |=== -|Name |Description |Job |Datafeed +|Name |Description -|high-count-remote-file-transfer +|lmd_high_count_remote_file_transfer |Detects unusually high file transfers to a remote host in the network. -|https://github.com/elastic/integrations/blob/{branch}/packages/lmd/kibana/ml_module/lmd-ml.json#L24[image:images/link.svg[A link icon]] -|https://github.com/elastic/integrations/blob/{branch}/packages/lmd/kibana/ml_module/lmd-ml.json#L436[image:images/link.svg[A link icon]] -|high-file-size-remote-file-transfer +|lmd_high_file_size_remote_file_transfer |Detects unusually high size of files shared with a remote host in the network. -|https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json#L58[image:images/link.svg[A link icon]] -|https://github.com/elastic/integrations/blob/{branch}/packages/lmd/kibana/ml_module/lmd-ml.json#L436[image:images/link.svg[A link icon]] -|rare-file-extension-remote-transfer +|lmd_rare_file_extension_remote_transfer |Detects data exfiltration to an unusual destination port. -|https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json#L92[image:images/link.svg[A link icon]] -|https://github.com/elastic/integrations/blob/{branch}/packages/lmd/kibana/ml_module/lmd-ml.json#L436[image:images/link.svg[A link icon]] -|rare-file-path-remote-transfer +|lmd_rare_file_path_remote_transfer |Detects unusual folders and directories on which a file is transferred. -|https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json#L126[image:images/link.svg[A link icon]] -|https://github.com/elastic/integrations/blob/{branch}/packages/lmd/kibana/ml_module/lmd-ml.json#L436[image:images/link.svg[A link icon]] -|high-mean-rdp-session-duration +|lmd_high_mean_rdp_session_duration |Detects unusually high mean of RDP session duration. -|https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json#L160[image:images/link.svg[A link icon]] -|https://github.com/elastic/integrations/blob/{branch}/packages/lmd/kibana/ml_module/lmd-ml.json#L436[image:images/link.svg[A link icon]] -|high-var-rdp-session-duration +|lmd_high_var_rdp_session_duration |Detects unusually high variance in RDP session duration. -|https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json#L202[image:images/link.svg[A link icon]] -|https://github.com/elastic/integrations/blob/{branch}/packages/lmd/kibana/ml_module/lmd-ml.json#L436[image:images/link.svg[A link icon]] -|high-sum-rdp-number-of-processes +|lmd_high_sum_rdp_number_of_processes |Detects unusually high number of processes started in a single RDP session. -|https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json#L244[image:images/link.svg[A link icon]] -|https://github.com/elastic/integrations/blob/{branch}/packages/lmd/kibana/ml_module/lmd-ml.json#L436[image:images/link.svg[A link icon]] -|unusual-time-weekday-rdp-session-start +|lmd_unusual_time_weekday_rdp_session_start |Detects an RDP session started at an usual time or weekday. -|https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json#L286[image:images/link.svg[A link icon]] -|https://github.com/elastic/integrations/blob/{branch}/packages/lmd/kibana/ml_module/lmd-ml.json#L436[image:images/link.svg[A link icon]] -|high-rdp-distinct-count-source-ip-for-destination +|lmd_high_rdp_distinct_count_source_ip_for_destination |Detects a high count of source IPs making an RDP connection with a single destination IP. -|https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json#L326[image:images/link.svg[A link icon]] -|https://github.com/elastic/integrations/blob/{branch}/packages/lmd/kibana/ml_module/lmd-ml.json#L436[image:images/link.svg[A link icon]] -|high-rdp-distinct-count-destination-ip-for-source +|lmd_high_rdp_distinct_count_destination_ip_for_source |Detects a high count of destination IPs establishing an RDP connection with a single source IP. -|https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json#L360[image:images/link.svg[A link icon]] -|https://github.com/elastic/integrations/blob/{branch}/packages/lmd/kibana/ml_module/lmd-ml.json#L436[image:images/link.svg[A link icon]] -|high-mean-rdp-process-args +|lmd_high_mean_rdp_process_args |Detects unusually high number of process arguments in an RDP session. -|https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json#L394[image:images/link.svg[A link icon]] -|https://github.com/elastic/integrations/blob/{branch}/packages/lmd/kibana/ml_module/lmd-ml.json#L436[image:images/link.svg[A link icon]] |=== + +The job configurations and datafeeds can be found +https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json[here]. + // end::security-windows-jobs[] // end::siem-jobs[] \ No newline at end of file