Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixes URLs in OOTB security jobs and updates job IDs #2563

Merged
merged 5 commits into from
Oct 16, 2023
Merged
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
127 changes: 50 additions & 77 deletions docs/en/stack/ml/anomaly-detection/ootb-ml-jobs-siem.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -389,9 +389,13 @@ they are listed for each job.
[[security-integrations-jobs]]
== Security: Elastic Integrations

https://docs.elastic.co/integrations[Elastic Integrations] are a streamlined way to add Elastic assets to your environment, such as data ingestion, {transforms}, and in this case, {ml} capabilities for Security.
https://docs.elastic.co/integrations[Elastic Integrations] are a streamlined way
to add Elastic assets to your environment, such as data ingestion, {transforms},
and in this case, {ml} capabilities for Security.

The following Integrations use {ml} to analyze patterns of user and entity behavior, and help detect and alert when there is related suspicious activity in your environment.
The following Integrations use {ml} to analyze patterns of user and entity
behavior, and help detect and alert when there is related suspicious activity in
your environment.

* https://docs.elastic.co/integrations/ded[Data Exfiltration Detection]
* https://docs.elastic.co/integrations/dga[Domain Generation Algorithm Detection]
Expand All @@ -402,63 +406,59 @@ The following Integrations use {ml} to analyze patterns of user and entity behav

*Domain Generation Algorithm (DGA) Detection*

{ml-cap} solution package to detect domain generation algorithm (DGA) activity in your network data. Refer to the {subscriptions}[subscription page] to learn more about the required subscription.
{ml-cap} solution package to detect domain generation algorithm (DGA) activity
in your network data. Refer to the {subscriptions}[subscription page] to learn
more about the required subscription.

To download, refer to the https://docs.elastic.co/integrations/dga[documentation].

|===
|Name |Description |Job |Datafeed
|Name |Description

|dga_high_sum_probability
|Detect domain generation algorithm (DGA) activity in your network data.
|https://github.com/elastic/integrations/blob/{branch}/packages/dga/kibana/ml_module/dga-ml.json#L23[image:images/link.svg[A link icon]]
|https://github.com/elastic/integrations/blob/{branch}/packages/dga/kibana/ml_module/dga-ml.json#L58[image:images/link.svg[A link icon]]

|===

The job configurations and datafeeds can be found
[here](https://github.com/elastic/integrations/blob/main/packages/dga/kibana/ml_module/dga-ml.json).

// LotL

*Living off the Land Attack (LotL) Detection*

{ml-cap} solution package to detect Living off the Land (LotL) attacks in your environment. Refer to the {subscriptions}[subscription page] to learn more about the required subscription. (Also known as ProblemChild).
{ml-cap} solution package to detect Living off the Land (LotL) attacks in your
environment. Refer to the {subscriptions}[subscription page] to learn more about
the required subscription. (Also known as ProblemChild).

To download, refer to the https://docs.elastic.co/integrations/problemchild[documentation].

|===
|Name |Description |Job |Datafeed
|Name |Description

|problem_child_rare_process_by_host
|Looks for a process that has been classified as malicious on a host that does not commonly manifest malicious process activity (experimental).
szabosteve marked this conversation as resolved.
Show resolved Hide resolved
|https://github.com/elastic/integrations/blob/{branch}/packages/problemchild/kibana/ml_module/problemchild-ml.json#L29[image:images/link.svg[A link icon]]
|https://github.com/elastic/integrations/blob/{branch}/packages/problemchild/kibana/ml_module/problemchild-ml.json#262[image:images/link.svg[A link icon]]

|problem_child_high_sum_by_host
|Looks for a set of one or more malicious child processes on a single host (experimental).
|https://github.com/elastic/integrations/blob/{branch}/packages/problemchild/kibana/ml_module/problemchild-ml.json#L64[image:images/link.svg[A link icon]]
|https://github.com/elastic/integrations/blob/{branch}/packages/problemchild/kibana/ml_module/problemchild-ml.json#262[image:images/link.svg[A link icon]]

|problem_child_rare_process_by_user
|Looks for a process that has been classified as malicious where the user context is unusual and does not commonly manifest malicious process activity (experimental).
|https://github.com/elastic/integrations/blob/{branch}/packages/problemchild/kibana/ml_module/problemchild-ml.json#L106[image:images/link.svg[A link icon]]
|https://github.com/elastic/integrations/blob/{branch}/packages/problemchild/kibana/ml_module/problemchild-ml.json#262[image:images/link.svg[A link icon]]

|problem_child_rare_process_by_parent
|Looks for rare malicious child processes spawned by a parent process (experimental).
|https://github.com/elastic/integrations/blob/{branch}/packages/problemchild/kibana/ml_module/problemchild-ml.json#L141[image:images/link.svg[A link icon]]
|https://github.com/elastic/integrations/blob/{branch}/packages/problemchild/kibana/ml_module/problemchild-ml.json#262[image:images/link.svg[A link icon]]

|problem_child_high_sum_by_user
|Looks for a set of one or more malicious processes, started by the same user (experimental).
|https://github.com/elastic/integrations/blob/{branch}/packages/problemchild/kibana/ml_module/problemchild-ml.json#L177[image:images/link.svg[A link icon]]
|https://github.com/elastic/integrations/blob/{branch}/packages/problemchild/kibana/ml_module/problemchild-ml.json#262[image:images/link.svg[A link icon]]

|problem_child_high_sum_by_parent
|Looks for a set of one or more malicious child processes spawned by the same parent process (experimental).
|https://github.com/elastic/integrations/blob/{branch}/packages/problemchild/kibana/ml_module/problemchild-ml.json#L219[image:images/link.svg[A link icon]]
|https://github.com/elastic/integrations/blob/{branch}/packages/problemchild/kibana/ml_module/problemchild-ml.json#262[image:images/link.svg[A link icon]]

|===

The job configurations and datafeeds can be found
[here](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json).

// ded

*Data Exfiltration Detection (DED)*
Expand All @@ -468,111 +468,84 @@ To download, refer to the https://docs.elastic.co/integrations/problemchild[docu
To download, refer to the https://docs.elastic.co/integrations/ded[documentation].

|===
|Name |Description |Job |Datafeed
|Name |Description

|high-sent-bytes-destination-geo-country_iso_code
|ded_high_sent_bytes_destination_geo_country_iso_code
|Detects data exfiltration to an unusual geo-location (by country iso code).
|https://github.com/elastic/integrations/blob/{branch}/packages/ded/kibana/ml_module/ded-ml.json#L44[image:images/link.svg[A link icon]]
|https://github.com/elastic/integrations/blob/{branch}/packages/ded/kibana/ml_module/ded-ml.json#L304[image:images/link.svg[A link icon]]

|high-sent-bytes-destination-ip
|ded_high_sent_bytes_destination_ip
|Detects data exfiltration to an unusual geo-location (by IP address).
|https://github.com/elastic/integrations/blob/{branch}/packages/ded/kibana/ml_module/ded-ml.json#L83[image:images/link.svg[A link icon]]
|https://github.com/elastic/integrations/blob/{branch}/packages/ded/kibana/ml_module/ded-ml.json#L304[image:images/link.svg[A link icon]]

|high-sent-bytes-destination-port
|ded_high_sent_bytes_destination_port
|Detects data exfiltration to an unusual destination port.
|https://github.com/elastic/integrations/blob/{branch}/packages/ded/kibana/ml_module/ded-ml.json#L119[image:images/link.svg[A link icon]]
|https://github.com/elastic/integrations/blob/{branch}/packages/ded/kibana/ml_module/ded-ml.json#L304[image:images/link.svg[A link icon]]

|high-sent-bytes-destination-region_name
|ded_high_sent_bytes_destination_region_name
|Detects data exfiltration to an unusual geo-location (by region name).
|https://github.com/elastic/integrations/blob/{branch}/packages/ded/kibana/ml_module/ded-ml.json#L156[image:images/link.svg[A link icon]]
|https://github.com/elastic/integrations/blob/{branch}/packages/ded/kibana/ml_module/ded-ml.json#L304[image:images/link.svg[A link icon]]

|high-bytes-written-to-external-device
|ded_high_bytes_written_to_external_device
|Detects data exfiltration activity by identifying high bytes written to an external device.
|https://github.com/elastic/integrations/blob/{branch}/packages/ded/kibana/ml_module/ded-ml.json#L194[image:images/link.svg[A link icon]]
|https://github.com/elastic/integrations/blob/{branch}/packages/ded/kibana/ml_module/ded-ml.json#L304[image:images/link.svg[A link icon]]

|rare-process-writing-to-external-device
|ded_rare_process_writing_to_external_device
|Detects data exfiltration activity by identifying a file write started by a rare process to an external device.
|https://github.com/elastic/integrations/blob/{branch}/packages/ded/kibana/ml_module/ded-ml.json#L231[image:images/link.svg[A link icon]]
|https://github.com/elastic/integrations/blob/{branch}/packages/ded/kibana/ml_module/ded-ml.json#L304[image:images/link.svg[A link icon]]

|high-bytes-written-to-external-device-airdrop
|ded_high_bytes_written_to_external_device_airdrop
|Detects data exfiltration activity by identifying high bytes written to an external device via Airdrop.
|https://github.com/elastic/integrations/blob/{branch}/packages/ded/kibana/ml_module/ded-ml.json#L268[image:images/link.svg[A link icon]]
|https://github.com/elastic/integrations/blob/{branch}/packages/ded/kibana/ml_module/ded-ml.json#L304[image:images/link.svg[A link icon]]

|===

The job configurations and datafeeds can be found
[here](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json).

// lmd

*Lateral Movement Detection (LMD)*

{ml-cap} package to detect lateral movement based on file transfer activity and Windows RDP events. Refer to the {subscriptions}[subscription page] to learn more about the required subscription.
{ml-cap} package to detect lateral movement based on file transfer activity and
Windows RDP events. Refer to the {subscriptions}[subscription page] to learn
more about the required subscription.

To download, refer to the https://docs.elastic.co/integrations/lmd[documentation].

|===
|Name |Description |Job |Datafeed
|Name |Description

|high-count-remote-file-transfer
|lmd_high_count_remote_file_transfer
|Detects unusually high file transfers to a remote host in the network.
|https://github.com/elastic/integrations/blob/{branch}/packages/lmd/kibana/ml_module/lmd-ml.json#L24[image:images/link.svg[A link icon]]
|https://github.com/elastic/integrations/blob/{branch}/packages/lmd/kibana/ml_module/lmd-ml.json#L436[image:images/link.svg[A link icon]]

|high-file-size-remote-file-transfer
|lmd_high_file_size_remote_file_transfer
|Detects unusually high size of files shared with a remote host in the network.
|https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json#L58[image:images/link.svg[A link icon]]
|https://github.com/elastic/integrations/blob/{branch}/packages/lmd/kibana/ml_module/lmd-ml.json#L436[image:images/link.svg[A link icon]]

|rare-file-extension-remote-transfer
|lmd_rare_file_extension_remote_transfer
|Detects data exfiltration to an unusual destination port.
|https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json#L92[image:images/link.svg[A link icon]]
|https://github.com/elastic/integrations/blob/{branch}/packages/lmd/kibana/ml_module/lmd-ml.json#L436[image:images/link.svg[A link icon]]

|rare-file-path-remote-transfer
|lmd_rare_file_path_remote_transfer
|Detects unusual folders and directories on which a file is transferred.
|https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json#L126[image:images/link.svg[A link icon]]
|https://github.com/elastic/integrations/blob/{branch}/packages/lmd/kibana/ml_module/lmd-ml.json#L436[image:images/link.svg[A link icon]]

|high-mean-rdp-session-duration
|lmd_high_mean_rdp_session_duration
|Detects unusually high mean of RDP session duration.
|https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json#L160[image:images/link.svg[A link icon]]
|https://github.com/elastic/integrations/blob/{branch}/packages/lmd/kibana/ml_module/lmd-ml.json#L436[image:images/link.svg[A link icon]]

|high-var-rdp-session-duration
|lmd_high_var_rdp_session_duration
|Detects unusually high variance in RDP session duration.
|https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json#L202[image:images/link.svg[A link icon]]
|https://github.com/elastic/integrations/blob/{branch}/packages/lmd/kibana/ml_module/lmd-ml.json#L436[image:images/link.svg[A link icon]]

|high-sum-rdp-number-of-processes
|lmd_high_sum_rdp_number_of_processes
|Detects unusually high number of processes started in a single RDP session.
|https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json#L244[image:images/link.svg[A link icon]]
|https://github.com/elastic/integrations/blob/{branch}/packages/lmd/kibana/ml_module/lmd-ml.json#L436[image:images/link.svg[A link icon]]

|unusual-time-weekday-rdp-session-start
|lmd_unusual_time_weekday_rdp_session_start
|Detects an RDP session started at an usual time or weekday.
|https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json#L286[image:images/link.svg[A link icon]]
|https://github.com/elastic/integrations/blob/{branch}/packages/lmd/kibana/ml_module/lmd-ml.json#L436[image:images/link.svg[A link icon]]

|high-rdp-distinct-count-source-ip-for-destination
|lmd_high_rdp_distinct_count_source_ip_for_destination
|Detects a high count of source IPs making an RDP connection with a single destination IP.
|https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json#L326[image:images/link.svg[A link icon]]
|https://github.com/elastic/integrations/blob/{branch}/packages/lmd/kibana/ml_module/lmd-ml.json#L436[image:images/link.svg[A link icon]]

|high-rdp-distinct-count-destination-ip-for-source
|lmd_high_rdp_distinct_count_destination_ip_for_source
|Detects a high count of destination IPs establishing an RDP connection with a single source IP.
|https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json#L360[image:images/link.svg[A link icon]]
|https://github.com/elastic/integrations/blob/{branch}/packages/lmd/kibana/ml_module/lmd-ml.json#L436[image:images/link.svg[A link icon]]

|high-mean-rdp-process-args
|lmd_high_mean_rdp_process_args
|Detects unusually high number of process arguments in an RDP session.
|https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json#L394[image:images/link.svg[A link icon]]
|https://github.com/elastic/integrations/blob/{branch}/packages/lmd/kibana/ml_module/lmd-ml.json#L436[image:images/link.svg[A link icon]]

|===

The job configurations and datafeeds can be found
[here](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json).

// end::security-windows-jobs[]
// end::siem-jobs[]