[ML] Update Security_Linux and Security_Windows Modules to V3 #123000
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dishadasgupta
added
release_note:enhancement
:ml
Feature:Anomaly Detection
Contributor
|
Pinging @elastic/ml-ui (:ml) |
💔 Build FailedFailed CI StepsTest Failures
Metrics [docs]
HistoryTo update your PR or re-run it, just comment with: |
szabosteve
reviewed
Jan 14, 2022
Contributor
szabosteve
left a comment
szabosteve
left a comment
There was a problem hiding this comment.
Thanks for these changes!
I left some suggestions that could decrease the word count. Please take or leave them.
| "description": "Detect suspicious activity using ECS Linux events. Tested with Auditbeat and the Elastic agent.", | ||
| "id": "security_linux_v3", | ||
| "title": "Security: Linux v3", | ||
| "description": "Security: Linux v3. Version 3 of the Linux Security Machine Learning Module, released in 2022, this module is a replacement for the v2 Linux module. This module contains all shipping ML jobs for Linux host based threat hunting and detection. Any ECS (Elastic Common Schema) compatable Linux events can be used by this module.", |
Contributor
There was a problem hiding this comment.
As the title is Security: Linux v3, the description might be a bit shorter.
Suggested change
| "description": "Security: Linux v3. Version 3 of the Linux Security Machine Learning Module, released in 2022, this module is a replacement for the v2 Linux module. This module contains all shipping ML jobs for Linux host based threat hunting and detection. Any ECS (Elastic Common Schema) compatable Linux events can be used by this module.", | |
| "description": "Contains all shipping ML jobs for Linux host-based threat hunting and detection. Any ECS-compatible Linux events can be used by the jobs.", |
| @@ -0,0 +1,55 @@ | |||
| { | |||
| "job_type": "anomaly_detector", | |||
| "description": "Security: Linux - Looks for commands related to system network configuration discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network configuration discovery in order to increase their understanding of connected networks and hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.", | |||
Contributor
There was a problem hiding this comment.
Suggested change
| "description": "Security: Linux - Looks for commands related to system network configuration discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network configuration discovery in order to increase their understanding of connected networks and hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.", | |
| "description": "Security: Linux - Looks for commands related to system network configuration discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network configuration discovery to increase their understanding of connected networks and hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.", |
| @@ -0,0 +1,55 @@ | |||
| { | |||
| "job_type": "anomaly_detector", | |||
| "description": "Security: Linux - Looks for commands related to system network connection discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network connection discovery in order to increase their understanding of connected services and systems. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.", | |||
Contributor
There was a problem hiding this comment.
Suggested change
| "description": "Security: Linux - Looks for commands related to system network connection discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network connection discovery in order to increase their understanding of connected services and systems. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.", | |
| "description": "Security: Linux - Looks for commands related to system network connection discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network connection discovery to increase their understanding of connected services and systems. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.", |
| @@ -0,0 +1,55 @@ | |||
| { | |||
| "job_type": "anomaly_detector", | |||
| "description": "Security: Linux - Looks for commands related to system information discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system information discovery in order to gather detailed information about system configuration and software versions. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.", | |||
Contributor
There was a problem hiding this comment.
Suggested change
| "description": "Security: Linux - Looks for commands related to system information discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system information discovery in order to gather detailed information about system configuration and software versions. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.", | |
| "description": "Security: Linux - Looks for commands related to system information discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system information discovery to gather detailed information about system configuration and software versions. This may be a precursor to the selection of a persistence mechanism or a method of privilege elevation.", |
| @@ -0,0 +1,55 @@ | |||
| { | |||
| "job_type": "anomaly_detector", | |||
| "description": "Security: Linux - Looks for commands related to system process discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system process discovery in order to increase their understanding of software applications running on a target host or network. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.", | |||
Contributor
There was a problem hiding this comment.
Suggested change
| "description": "Security: Linux - Looks for commands related to system process discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system process discovery in order to increase their understanding of software applications running on a target host or network. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.", | |
| "description": "Security: Linux - Looks for commands related to system process discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system process discovery to increase their understanding of software applications running on a target host or network. This may be a precursor to the selection of a persistence mechanism or a method of privilege elevation.", |
| @@ -0,0 +1,55 @@ | |||
| { | |||
| "job_type": "anomaly_detector", | |||
| "description": "Security: Linux - Looks for commands related to system user or owner discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system owner or user discovery in order to identify currently active or primary users of a system. This may be a precursor to additional discovery, credential dumping or privilege elevation activity.", | |||
Contributor
There was a problem hiding this comment.
Suggested change
| "description": "Security: Linux - Looks for commands related to system user or owner discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system owner or user discovery in order to identify currently active or primary users of a system. This may be a precursor to additional discovery, credential dumping or privilege elevation activity.", | |
| "description": "Security: Linux - Looks for commands related to system user or owner discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system owner or user discovery to identify currently active or primary users of a system. This may be a precursor to additional discovery, credential dumping, or privilege elevation activity.", |
| "description": "Detects suspicious activity using ECS Windows events. Tested with Winlogbeat and the Elastic agent.", | ||
| "id": "security_windows_v3", | ||
| "title": "Security: Windows v3", | ||
| "description": "Security: Linux v3. Version 3 of the Windows Security Machine Learning Module, released in 2022, this module is a replacement for the v2 Windows module. This module contains all shipping ML jobs for Windows host based threat hunting and detection. Any ECS (Elastic Common Schema) compatable Windows events can be used by this module.", |
Contributor
There was a problem hiding this comment.
As the title is Security: Windows v3, the description might be a bit shorter.
Suggested change
| "description": "Security: Linux v3. Version 3 of the Windows Security Machine Learning Module, released in 2022, this module is a replacement for the v2 Windows module. This module contains all shipping ML jobs for Windows host based threat hunting and detection. Any ECS (Elastic Common Schema) compatable Windows events can be used by this module.", | |
| "description": "Contains all shipping ML jobs for Windows host-based threat hunting and detection. Any ECS-compatible Windows events can be used by the jobs.", |
randomuserid
suggested changes
Jan 14, 2022
Contributor
randomuserid
left a comment
randomuserid
left a comment
There was a problem hiding this comment.
Looks like the v2 modules were accidentally overwritten with the v3 modules? Let's close this and start a new PR adding the v3_security_linux and v3_security_windows modules. I'll leave the tests failing here for the time being to ensure we don't merge this.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Adds files for new + refactored v3 jobs for both
security_linuxandsecurity_windows- for use within the Security app.Files/Job Artifacts:
2 updated manifest
.jsonfiles - for both linux and windowsUpdated/new ML Job configurations for 26 jobs - each with associated datafeed configuration files:
security_linux: 14 jobs
security_windows: 12 jobs
Tests:
Individual job test tracking stats available here: https://docs.google.com/spreadsheets/d/1JOUIVsitaMdEdhM3WT2Eag4ELI-rI2Jec7bXildJsdQ/edit#gid=0
Screenshot of an integration test done in a local Kibana instance is provided below. Tried to make the descriptions as informative as possible (because of this note I read from a previous release), please let us know next steps for that.
@randomuserid to also post more updates as needed to this issue + regarding tests, thanks