diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/logo.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/logo.json new file mode 100644 index 0000000000000..1a8759749131a --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/logo.json @@ -0,0 +1,3 @@ +{ + "icon": "logoSecurity" +} \ No newline at end of file diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/manifest.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/manifest.json new file mode 100644 index 0000000000000..025861bb672c0 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/manifest.json @@ -0,0 +1,176 @@ +{ + "id": "security_linux_v3", + "title": "Security: Linux v3 (2022)", + "description": "This module contains all shipping ML jobs for Linux host based threat hunting and detection. This module is a replacement for the v2 Linux module named Security: Linux.", + "type": "linux data", + "logoFile": "logo.json", + "defaultIndexPattern": "auditbeat-*,logs-*", + "query": { + "bool": { + "should": [ + { + "match": { + "host.os.type": { + "query": "linux", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "debian", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "redhat", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "suse", + "operator": "OR" + } + } + } + ] + } + }, + "jobs": [ + { + "id": "v3_linux_anomalous_network_port_activity_ecs", + "file": "v3_linux_anomalous_network_port_activity_ecs.json" + }, + { + "id": "v3_linux_network_configuration_discovery", + "file": "v3_linux_network_configuration_discovery.json" + }, + { + "id": "v3_linux_network_connection_discovery", + "file": "v3_linux_network_connection_discovery.json" + }, + { + "id": "v3_linux_rare_sudo_user", + "file": "v3_linux_rare_sudo_user.json" + }, + { + "id": "v3_linux_rare_user_compiler", + "file": "v3_linux_rare_user_compiler.json" + }, + { + "id": "v3_linux_system_information_discovery", + "file": "v3_linux_system_information_discovery.json" + }, + { + "id": "v3_linux_system_process_discovery", + "file": "v3_linux_system_process_discovery.json" + }, + { + "id": "v3_linux_system_user_discovery", + "file": "v3_linux_system_user_discovery.json" + }, + { + "id": "v3_linux_anomalous_process_all_hosts_ecs", + "file": "v3_linux_anomalous_process_all_hosts_ecs.json" + }, + { + "id": "v3_linux_anomalous_user_name_ecs", + "file": "v3_linux_anomalous_user_name_ecs.json" + }, + { + "id": "v3_linux_rare_metadata_process", + "file": "v3_linux_rare_metadata_process.json" + }, + { + "id": "v3_linux_rare_metadata_user", + "file": "v3_linux_rare_metadata_user.json" + }, + { + "id": "v3_rare_process_by_host_linux_ecs", + "file": "v3_rare_process_by_host_linux_ecs.json" + }, + { + "id": "v3_linux_anomalous_network_activity", + "file": "v3_linux_anomalous_network_activity.json" + } + ], + "datafeeds": [ + { + "id": "datafeed-v3_linux_anomalous_network_port_activity_ecs", + "file": "datafeed_v3_linux_anomalous_network_port_activity_ecs.json", + "job_id": "v3_linux_anomalous_network_port_activity_ecs" + }, + { + "id": "datafeed-v3_linux_network_configuration_discovery", + "file": "datafeed_v3_linux_network_configuration_discovery.json", + "job_id": "v3_linux_network_configuration_discovery" + }, + { + "id": "datafeed-v3_linux_network_connection_discovery", + "file": "datafeed_v3_linux_network_connection_discovery.json", + "job_id": "v3_linux_network_connection_discovery" + }, + { + "id": "datafeed-v3_linux_rare_sudo_user", + "file": "datafeed_v3_linux_rare_sudo_user.json", + "job_id": "v3_linux_rare_sudo_user" + }, + { + "id": "datafeed-v3_linux_rare_user_compiler", + "file": "datafeed_v3_linux_rare_user_compiler.json", + "job_id": "v3_linux_rare_user_compiler" + }, + { + "id": "datafeed-v3_linux_system_information_discovery", + "file": "datafeed_v3_linux_system_information_discovery.json", + "job_id": "v3_linux_system_information_discovery" + }, + { + "id": "datafeed-v3_linux_system_process_discovery", + "file": "datafeed_v3_linux_system_process_discovery.json", + "job_id": "v3_linux_system_process_discovery" + }, + { + "id": "datafeed-v3_linux_system_user_discovery", + "file": "datafeed_v3_linux_system_user_discovery.json", + "job_id": "v3_linux_system_user_discovery" + }, + { + "id": "datafeed-v3_linux_anomalous_process_all_hosts_ecs", + "file": "datafeed_v3_linux_anomalous_process_all_hosts_ecs.json", + "job_id": "v3_linux_anomalous_process_all_hosts_ecs" + }, + { + "id": "datafeed-v3_linux_anomalous_user_name_ecs", + "file": "datafeed_v3_linux_anomalous_user_name_ecs.json", + "job_id": "v3_linux_anomalous_user_name_ecs" + }, + { + "id": "datafeed-v3_linux_rare_metadata_process", + "file": "datafeed_v3_linux_rare_metadata_process.json", + "job_id": "v3_linux_rare_metadata_process" + }, + { + "id": "datafeed-v3_linux_rare_metadata_user", + "file": "datafeed_v3_linux_rare_metadata_user.json", + "job_id": "v3_linux_rare_metadata_user" + }, + { + "id": "datafeed-v3_rare_process_by_host_linux_ecs", + "file": "datafeed_v3_rare_process_by_host_linux_ecs.json", + "job_id": "v3_rare_process_by_host_linux_ecs" + }, + { + "id": "datafeed-v3_linux_anomalous_network_activity", + "file": "datafeed_v3_linux_anomalous_network_activity.json", + "job_id": "v3_linux_anomalous_network_activity" + } + ] +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_linux_anomalous_network_activity.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_linux_anomalous_network_activity.json new file mode 100644 index 0000000000000..9ecec4a5fe586 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_linux_anomalous_network_activity.json @@ -0,0 +1,77 @@ +{ + "job_id": "v3_linux_anomalous_network_activity", + "indices": [ + "INDEX_PATTERN_NAME" + ], + "max_empty_searches": 10, + "query": { + "bool": + { + "filter": [ + {"term": {"event.category": "network"}}, + {"term": {"event.type": "start"}} + ], + "must": [ + { + "bool": { + "should": [ + { + "match": { + "host.os.type": { + "query": "linux", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "debian", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "redhat", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "suse", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "ubuntu", + "operator": "OR" + } + } + } + ] + } + } + ], + "must_not": [ + { + "bool": { + "should": [ + {"term": {"destination.ip": "127.0.0.1"}}, + {"term": {"destination.ip": "127.0.0.53"}}, + {"term": {"destination.ip": "::"}}, + {"term": {"destination.ip": "::1"}}, + {"term": {"user.name":"jenkins"}} + ] + } + } + ] + } + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_linux_anomalous_network_port_activity_ecs.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_linux_anomalous_network_port_activity_ecs.json new file mode 100644 index 0000000000000..5e23da0019e92 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_linux_anomalous_network_port_activity_ecs.json @@ -0,0 +1,77 @@ +{ + "job_id": "v3_linux_anomalous_network_port_activity_ecs", + "indices": [ + "INDEX_PATTERN_NAME" + ], + "max_empty_searches": 10, + "query": { + "bool": + { + "filter": [ + {"term": {"event.category": "network"}}, + {"term": {"event.type": "start"}} + ], + "must": [ + { + "bool": { + "should": [ + { + "match": { + "host.os.type": { + "query": "linux", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "debian", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "redhat", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "suse", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "ubuntu", + "operator": "OR" + } + } + } + ] + } + } + ], + "must_not": [ + { + "bool": { + "should": [ + {"term": {"destination.ip": "127.0.0.1"}}, + {"term": {"destination.ip": "127.0.0.53"}}, + {"term": {"destination.ip": "::"}}, + {"term": {"destination.ip": "::1"}}, + {"term": {"user.name":"jenkins"}} + ] + } + } + ] + } + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_linux_anomalous_process_all_hosts_ecs.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_linux_anomalous_process_all_hosts_ecs.json new file mode 100644 index 0000000000000..4293f2c295eea --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_linux_anomalous_process_all_hosts_ecs.json @@ -0,0 +1,101 @@ +{ + "job_id": "v3_linux_anomalous_process_all_hosts_ecs", + "indices": [ + "INDEX_PATTERN_NAME" + ], + "max_empty_searches": 10, + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "process" + } + }, + { + "term": { + "event.type": "start" + } + } + ], + "must": [ + { + "bool": { + "should": [ + { + "match": { + "host.os.type": { + "query": "linux", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "debian", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "redhat", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "suse", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "ubuntu", + "operator": "OR" + } + } + } + ] + } + } + ], + "must_not": [ + { + "bool": { + "should": [ + { + "term": { + "user.name": "jenkins-worker" + } + }, + { + "term": { + "user.name": "jenkins-user" + } + }, + { + "term": { + "user.name": "jenkins" + } + }, + { + "wildcard": { + "process.name": { + "wildcard": "jenkins*" + } + } + } + ] + } + } + ] + } + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_linux_anomalous_user_name_ecs.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_linux_anomalous_user_name_ecs.json new file mode 100644 index 0000000000000..b8f0f44adbffd --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_linux_anomalous_user_name_ecs.json @@ -0,0 +1,71 @@ +{ + "job_id": "v3_linux_anomalous_user_name_ecs", + "indices": [ + "INDEX_PATTERN_NAME" + ], + "max_empty_searches": 10, + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "process" + } + }, + { + "term": { + "event.type": "start" + } + } + ], + "must": [ + { + "bool": { + "should": [ + { + "match": { + "host.os.type": { + "query": "linux", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "debian", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "redhat", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "suse", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "ubuntu", + "operator": "OR" + } + } + } + ] + } + } + ] + } + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_linux_network_configuration_discovery.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_linux_network_configuration_discovery.json new file mode 100644 index 0000000000000..615e584f73bdd --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_linux_network_configuration_discovery.json @@ -0,0 +1,107 @@ +{ + "job_id": "v3_linux_network_configuration_discovery", + "indices": [ + "INDEX_PATTERN_NAME" + ], + "max_empty_searches": 10, + "query": { + "bool": { + "filter": [ + { + "term": { + "event.type": "start" + } + } + ], + "must": [ + { + "bool": { + "should": [ + { + "match": { + "host.os.type": { + "query": "linux", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "debian", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "redhat", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "suse", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "ubuntu", + "operator": "OR" + } + } + } + ] + } + }, + { + "bool": { + "should": [ + { + "term": { + "process.name": "arp" + } + }, + { + "term": { + "process.name": "echo" + } + }, + { + "term": { + "process.name": "ethtool" + } + }, + { + "term": { + "process.name": "ifconfig" + } + }, + { + "term": { + "process.name": "ip" + } + }, + { + "term": { + "process.name": "iptables" + } + }, + { + "term": { + "process.name": "ufw" + } + } + ] + } + } + ] + } + } +} \ No newline at end of file diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_linux_network_connection_discovery.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_linux_network_connection_discovery.json new file mode 100644 index 0000000000000..7d29fc1c255a8 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_linux_network_connection_discovery.json @@ -0,0 +1,92 @@ +{ + "job_id": "v3_linux_network_connection_discovery", + "indices": [ + "INDEX_PATTERN_NAME" + ], + "max_empty_searches": 10, + "query": { + "bool": { + "filter": [ + { + "term": { + "event.type": "start" + } + } + ], + "must": [ + { + "bool": { + "should": [ + { + "match": { + "host.os.type": { + "query": "linux", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "debian", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "redhat", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "suse", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "ubuntu", + "operator": "OR" + } + } + } + ] + } + }, + { + "bool": { + "should": [ + { + "term": { + "process.name": "netstat" + } + }, + { + "term": { + "process.name": "ss" + } + }, + { + "term": { + "process.name": "route" + } + }, + { + "term": { + "process.name": "showmount" + } + } + ] + } + } + ] + } + } + } \ No newline at end of file diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_linux_rare_metadata_process.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_linux_rare_metadata_process.json new file mode 100644 index 0000000000000..fa6c1fc3a5ffb --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_linux_rare_metadata_process.json @@ -0,0 +1,66 @@ +{ + "job_id": "v3_linux_rare_metadata_process", + "indices": [ + "INDEX_PATTERN_NAME" + ], + "max_empty_searches": 10, + "query": { + "bool": { + "filter": [ + { + "term": { + "destination.ip": "169.254.169.254" + } + } + ], + "must": [ + { + "bool": { + "should": [ + { + "match": { + "host.os.type": { + "query": "linux", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "debian", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "redhat", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "suse", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "ubuntu", + "operator": "OR" + } + } + } + ] + } + } + ] + } + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_linux_rare_metadata_user.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_linux_rare_metadata_user.json new file mode 100644 index 0000000000000..721eb53d486f9 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_linux_rare_metadata_user.json @@ -0,0 +1,66 @@ +{ + "job_id": "v3_linux_rare_metadata_user", + "indices": [ + "INDEX_PATTERN_NAME" + ], + "max_empty_searches": 10, + "query": { + "bool": { + "filter": [ + { + "term": { + "destination.ip": "169.254.169.254" + } + } + ], + "must": [ + { + "bool": { + "should": [ + { + "match": { + "host.os.type": { + "query": "linux", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "debian", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "redhat", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "suse", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "ubuntu", + "operator": "OR" + } + } + } + ] + } + } + ] + } + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_linux_rare_sudo_user.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_linux_rare_sudo_user.json new file mode 100644 index 0000000000000..80f15c2d0bf73 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_linux_rare_sudo_user.json @@ -0,0 +1,71 @@ +{ + "job_id": "v3_linux_rare_sudo_user", + "indices": [ + "INDEX_PATTERN_NAME" + ], + "max_empty_searches": 10, + "query": { + "bool": { + "filter": [ + { + "term": { + "event.type": "start" + } + }, + { + "term": { + "process.name": "sudo" + } + } + ], + "must": [ + { + "bool": { + "should": [ + { + "match": { + "host.os.type": { + "query": "linux", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "debian", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "redhat", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "suse", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "ubuntu", + "operator": "OR" + } + } + } + ] + } + } + ] + } + } +} \ No newline at end of file diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_linux_rare_user_compiler.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_linux_rare_user_compiler.json new file mode 100644 index 0000000000000..ac8fdcf400a61 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_linux_rare_user_compiler.json @@ -0,0 +1,92 @@ +{ + "job_id": "v3_linux_rare_user_compiler", + "indices": [ + "INDEX_PATTERN_NAME" + ], + "max_empty_searches": 10, + "query": { + "bool": { + "filter": [ + { + "term": { + "event.type": "start" + } + } + ], + "must": [ + { + "bool": { + "should": [ + { + "match": { + "host.os.type": { + "query": "linux", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "debian", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "redhat", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "suse", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "ubuntu", + "operator": "OR" + } + } + } + ] + } + }, + { + "bool": { + "should": [ + { + "term": { + "process.name": "compile" + } + }, + { + "term": { + "process.name": "gcc" + } + }, + { + "term": { + "process.name": "make" + } + }, + { + "term": { + "process.name": "yasm" + } + } + ] + } + } + ] + } + } + } \ No newline at end of file diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_linux_system_information_discovery.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_linux_system_information_discovery.json new file mode 100644 index 0000000000000..73c864920a046 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_linux_system_information_discovery.json @@ -0,0 +1,132 @@ +{ + "job_id": "v3_linux_system_information_discovery", + "indices": [ + "INDEX_PATTERN_NAME" + ], + "max_empty_searches": 10, + "query": { + "bool": { + "filter": [ + { + "term": { + "event.type": "start" + } + } + ], + "must": [ + { + "bool": { + "should": [ + { + "match": { + "host.os.type": { + "query": "linux", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "debian", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "redhat", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "suse", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "ubuntu", + "operator": "OR" + } + } + } + ] + } + }, + { + "bool": { + "should": [ + { + "term": { + "process.name": "cat" + } + }, + { + "term": { + "process.name": "grep" + } + }, + { + "term": { + "process.name": "head" + } + }, + { + "term": { + "process.name": "hostname" + } + }, + { + "term": { + "process.name": "less" + } + }, + { + "term": { + "process.name": "ls" + } + }, + { + "term": { + "process.name": "lsmod" + } + }, + { + "term": { + "process.name": "more" + } + }, + { + "term": { + "process.name": "strings" + } + }, + { + "term": { + "process.name": "tail" + } + }, + { + "term": { + "process.name": "uptime" + } + }, + { + "term": { + "process.name": "uname" + } + } + ] + } + } + ] + } + } +} \ No newline at end of file diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_linux_system_process_discovery.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_linux_system_process_discovery.json new file mode 100644 index 0000000000000..98f452bcbf8e4 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_linux_system_process_discovery.json @@ -0,0 +1,82 @@ +{ + "job_id": "v3_linux_system_process_discovery", + "indices": [ + "INDEX_PATTERN_NAME" + ], + "max_empty_searches": 10, + "query": { + "bool": { + "filter": [ + { + "term": { + "event.type": "start" + } + } + ], + "must": [ + { + "bool": { + "should": [ + { + "match": { + "host.os.type": { + "query": "linux", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "debian", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "redhat", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "suse", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "ubuntu", + "operator": "OR" + } + } + } + ] + } + }, + { + "bool": { + "should": [ + { + "term": { + "process.name": "ps" + } + }, + { + "term": { + "process.name": "top" + } + } + ] + } + } + ] + } + } +} \ No newline at end of file diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_linux_system_user_discovery.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_linux_system_user_discovery.json new file mode 100644 index 0000000000000..78ec58789bcd6 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_linux_system_user_discovery.json @@ -0,0 +1,92 @@ +{ + "job_id": "v3_inux_system_user_discovery", + "indices": [ + "INDEX_PATTERN_NAME" + ], + "max_empty_searches": 10, + "query": { + "bool": { + "filter": [ + { + "term": { + "event.type": "start" + } + } + ], + "must": [ + { + "bool": { + "should": [ + { + "match": { + "host.os.type": { + "query": "linux", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "debian", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "redhat", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "suse", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "ubuntu", + "operator": "OR" + } + } + } + ] + } + }, + { + "bool": { + "should": [ + { + "term": { + "process.name": "users" + } + }, + { + "term": { + "process.name": "w" + } + }, + { + "term": { + "process.name": "who" + } + }, + { + "term": { + "process.name": "whoami" + } + } + ] + } + } + ] + } + } +} \ No newline at end of file diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_rare_process_by_host_linux_ecs.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_rare_process_by_host_linux_ecs.json new file mode 100644 index 0000000000000..2b47910475d88 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/datafeed_v3_rare_process_by_host_linux_ecs.json @@ -0,0 +1,71 @@ +{ + "job_id": "v3_rare_process_by_host_linux_ecs", + "indices": [ + "INDEX_PATTERN_NAME" + ], + "max_empty_searches": 10, + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "process" + } + }, + { + "term": { + "event.type": "start" + } + } + ], + "must": [ + { + "bool": { + "should": [ + { + "match": { + "host.os.type": { + "query": "linux", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "debian", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "redhat", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "suse", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.family": { + "query": "ubuntu", + "operator": "OR" + } + } + } + ] + } + } + ] + } + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_linux_anomalous_network_activity.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_linux_anomalous_network_activity.json new file mode 100644 index 0000000000000..775204c77a473 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_linux_anomalous_network_activity.json @@ -0,0 +1,54 @@ +{ + "job_type": "anomaly_detector", + "description": "Looks for unusual processes using the network which could indicate command-and-control, lateral movement, persistence, or data exfiltration activity.", + "groups": [ + "auditbeat", + "endpoint", + "linux", + "network", + "security" + ], + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "rare by \"process.name\"", + "function": "rare", + "by_field_name": "process.name" + } + ], + "influencers": [ + "host.name", + "process.name", + "user.name", + "destination.ip" + ] + }, + "allow_lazy_open": true, + "analysis_limits": { + "model_memory_limit": "64mb" + }, + "data_description": { + "time_field": "@timestamp" + }, + "custom_settings": { + "custom_urls": [ + { + "url_name": "Host Details by process name", + "url_value": "siem#/ml-hosts/$host.name$?_g=()&kqlQuery=(filterQuery:(expression:'process.name%20:%20%22$process.name$%22',kind:kuery),queryLocation:hosts.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Host Details by user name", + "url_value": "siem#/ml-hosts/$host.name$?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:hosts.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by process name", + "url_value": "siem#/ml-hosts?_g=()&kqlQuery=(filterQuery:(expression:'process.name%20:%20%22$process.name$%22',kind:kuery),queryLocation:hosts.page,type:page)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by user name", + "url_value": "siem#/ml-hosts?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:hosts.page,type:page)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + } + ] + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_linux_anomalous_network_port_activity_ecs.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_linux_anomalous_network_port_activity_ecs.json new file mode 100644 index 0000000000000..2e1a8fff92b35 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_linux_anomalous_network_port_activity_ecs.json @@ -0,0 +1,55 @@ +{ + "job_type": "anomaly_detector", + "description": "Security: Linux v3 - Looks for unusual destination port activity that could indicate command-and-control, persistence mechanism, or data exfiltration activity.", + "groups": [ + "security", + "auditbeat", + "endpoint", + "linux", + "network" + ], + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "rare by \"destination.port\"", + "function": "rare", + "by_field_name": "destination.port" + } + ], + "influencers": [ + "host.name", + "process.name", + "user.name", + "destination.ip" + ] + }, + "allow_lazy_open": true, + "analysis_limits": { + "model_memory_limit": "32mb" + }, + "data_description": { + "time_field": "@timestamp" + }, + "custom_settings": { + "created_by": "ml-module-security-linux-v3", + "custom_urls": [ + { + "url_name": "Host Details by process name", + "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Host Details by user name", + "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by process name", + "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by user name", + "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + } + ] + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_linux_anomalous_process_all_hosts_ecs.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_linux_anomalous_process_all_hosts_ecs.json new file mode 100644 index 0000000000000..c253b4a80966c --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_linux_anomalous_process_all_hosts_ecs.json @@ -0,0 +1,58 @@ +{ + "job_type": "anomaly_detector", + "description": "Security: Linux - Looks for processes that are unusual to all Linux hosts. Such unusual processes may indicate unauthorized services, malware, or persistence mechanisms.", + "groups": [ + "auditbeat", + "endpoint", + "linux", + "process", + "security" + ], + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "rare by \"process.name\"", + "function": "rare", + "by_field_name": "process.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "process.name", + "user.name" + ] + }, + "allow_lazy_open": true, + "analysis_limits": { + "model_memory_limit": "512mb", + "categorization_examples_limit": 4 + + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-security-linux", + "custom_urls": [ + { + "url_name": "Host Details by process name", + "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Host Details by user name", + "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by process name", + "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by user name", + "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + } + ] + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_linux_anomalous_user_name_ecs.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_linux_anomalous_user_name_ecs.json new file mode 100644 index 0000000000000..f973d451c76e8 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_linux_anomalous_user_name_ecs.json @@ -0,0 +1,57 @@ +{ + "job_type": "anomaly_detector", + "description": "Security: Linux - Rare and unusual users that are not normally active may indicate unauthorized changes or activity by an unauthorized user which may be credentialed access or lateral movement.", + "groups": [ + "auditbeat", + "endpoint", + "linux", + "process", + "security" + ], + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "rare by \"user.name\"", + "function": "rare", + "by_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "process.name", + "user.name" + ] + }, + "allow_lazy_open": true, + "analysis_limits": { + "model_memory_limit": "32mb", + "categorization_examples_limit": 4 + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-security-linux", + "custom_urls": [ + { + "url_name": "Host Details by process name", + "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Host Details by user name", + "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by process name", + "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by user name", + "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + } + ] + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_linux_network_configuration_discovery.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_linux_network_configuration_discovery.json new file mode 100644 index 0000000000000..6698628fd7615 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_linux_network_configuration_discovery.json @@ -0,0 +1,55 @@ +{ + "job_type": "anomaly_detector", + "description": "Security: Linux - Looks for commands related to system network configuration discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network configuration discovery to increase their understanding of connected networks and hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.", + "groups": [ + "security", + "auditbeat", + "endpoint", + "linux", + "process" + ], + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "rare by \"user.name\"", + "function": "rare", + "by_field_name": "user.name" + } + ], + "influencers": [ + "process.name", + "host.name", + "process.args", + "user.name" + ] + }, + "allow_lazy_open": true, + "analysis_limits": { + "model_memory_limit": "64mb" + }, + "data_description": { + "time_field": "@timestamp" + }, + "custom_settings": { + "created_by": "ml-module-security-linux-v3", + "custom_urls": [ + { + "url_name": "Host Details by process name", + "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Host Details by user name", + "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by process name", + "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by user name", + "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + } + ] + } +} \ No newline at end of file diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_linux_network_connection_discovery.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_linux_network_connection_discovery.json new file mode 100644 index 0000000000000..fca07cd53be86 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_linux_network_connection_discovery.json @@ -0,0 +1,55 @@ +{ + "job_type": "anomaly_detector", + "description": "Security: Linux - Looks for commands related to system network connection discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network connection discovery to increase their understanding of connected services and systems. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.", + "groups": [ + "security", + "auditbeat", + "endpoint", + "linux", + "process" + ], + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "rare by \"user.name\"", + "function": "rare", + "by_field_name": "user.name" + } + ], + "influencers": [ + "process.name", + "host.name", + "process.args", + "user.name" + ] + }, + "allow_lazy_open": true, + "analysis_limits": { + "model_memory_limit": "64mb" + }, + "data_description": { + "time_field": "@timestamp" + }, + "custom_settings": { + "created_by": "ml-module-security-linux-v3", + "custom_urls": [ + { + "url_name": "Host Details by process name", + "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Host Details by user name", + "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by process name", + "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by user name", + "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + } + ] + } +} \ No newline at end of file diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_linux_rare_metadata_process.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_linux_rare_metadata_process.json new file mode 100644 index 0000000000000..d4b7d698da821 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_linux_rare_metadata_process.json @@ -0,0 +1,38 @@ +{ + "job_type": "anomaly_detector", + "description": "Security: Linux - Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", + "groups": [ + "auditbeat", + "endpoint", + "linux", + "process", + "security" + ], + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "rare by \"process.name\"", + "function": "rare", + "by_field_name": "process.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "user.name", + "process.name" + ] + }, + "allow_lazy_open": true, + "analysis_limits": { + "model_memory_limit": "32mb", + "categorization_examples_limit": 4 + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-security-linux" } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_linux_rare_metadata_user.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_linux_rare_metadata_user.json new file mode 100644 index 0000000000000..7aabe61baa1c6 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_linux_rare_metadata_user.json @@ -0,0 +1,38 @@ +{ + "job_type": "anomaly_detector", + "description": "Security: Linux - Looks for anomalous access to the metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", + "groups": [ + "auditbeat", + "endpoint", + "linux", + "process", + "security" + ], + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "rare by \"user.name\"", + "function": "rare", + "by_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "user.name" + ] + }, + "allow_lazy_open": true, + "analysis_limits": { + "model_memory_limit": "32mb", + "categorization_examples_limit": 4 + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-security-linux" + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_linux_rare_sudo_user.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_linux_rare_sudo_user.json new file mode 100644 index 0000000000000..db3ddcd871faf --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_linux_rare_sudo_user.json @@ -0,0 +1,55 @@ +{ + "job_type": "anomaly_detector", + "description": "Security: Linux - Looks for sudo activity from an unusual user context.", + "groups": [ + "security", + "auditbeat", + "endpoint", + "linux", + "process" + ], + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "rare by \"user.name\"", + "function": "rare", + "by_field_name": "user.name" + } + ], + "influencers": [ + "process.name", + "host.name", + "process.args", + "user.name" + ] + }, + "allow_lazy_open": true, + "analysis_limits": { + "model_memory_limit": "32mb" + }, + "data_description": { + "time_field": "@timestamp" + }, + "custom_settings": { + "created_by": "ml-module-security-linux-v3", + "custom_urls": [ + { + "url_name": "Host Details by process name", + "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Host Details by user name", + "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by process name", + "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by user name", + "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + } + ] + } +} \ No newline at end of file diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_linux_rare_user_compiler.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_linux_rare_user_compiler.json new file mode 100644 index 0000000000000..3fe6140b5f61f --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_linux_rare_user_compiler.json @@ -0,0 +1,47 @@ +{ + "job_type": "anomaly_detector", + "description": "Security: Linux - Looks for compiler activity by a user context which does not normally run compilers. This can be ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run exploits or malware activity.", + "groups": [ + "security", + "auditbeat", + "endpoint", + "linux", + "process" + ], + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "rare by \"user.name\"", + "function": "rare", + "by_field_name": "user.name" + } + ], + "influencers": [ + "process.title", + "host.name", + "process.working_directory", + "user.name" + ] + }, + "allow_lazy_open": true, + "analysis_limits": { + "model_memory_limit": "256mb" + }, + "data_description": { + "time_field": "@timestamp" + }, + "custom_settings": { + "created_by": "ml-module-security-linux-v3", + "custom_urls": [ + { + "url_name": "Host Details by user name", + "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by user name", + "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + } + ] + } +} \ No newline at end of file diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_linux_system_information_discovery.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_linux_system_information_discovery.json new file mode 100644 index 0000000000000..c1b56197f5a6d --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_linux_system_information_discovery.json @@ -0,0 +1,55 @@ +{ + "job_type": "anomaly_detector", + "description": "Security: Linux - Looks for commands related to system information discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system information discovery to gather detailed information about system configuration and software versions. This may be a precursor to the selection of a persistence mechanism or a method of privilege elevation.", + "groups": [ + "security", + "auditbeat", + "endpoint", + "linux", + "process" + ], + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "rare by \"user.name\"", + "function": "rare", + "by_field_name": "user.name" + } + ], + "influencers": [ + "process.name", + "host.name", + "process.args", + "user.name" + ] + }, + "allow_lazy_open": true, + "analysis_limits": { + "model_memory_limit": "16mb" + }, + "data_description": { + "time_field": "@timestamp" + }, + "custom_settings": { + "created_by": "ml-module-security-linux-v3", + "custom_urls": [ + { + "url_name": "Host Details by process name", + "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Host Details by user name", + "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by process name", + "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by user name", + "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + } + ] + } +} \ No newline at end of file diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_linux_system_process_discovery.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_linux_system_process_discovery.json new file mode 100644 index 0000000000000..212fd617fdb47 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_linux_system_process_discovery.json @@ -0,0 +1,55 @@ +{ + "job_type": "anomaly_detector", + "description": "Security: Linux - Looks for commands related to system process discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system process discovery to increase their understanding of software applications running on a target host or network. This may be a precursor to the selection of a persistence mechanism or a method of privilege elevation.", + "groups": [ + "security", + "auditbeat", + "endpoint", + "linux", + "process" + ], + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "rare by \"user.name\"", + "function": "rare", + "by_field_name": "user.name" + } + ], + "influencers": [ + "process.name", + "host.name", + "process.args", + "user.name" + ] + }, + "allow_lazy_open": true, + "analysis_limits": { + "model_memory_limit": "16mb" + }, + "data_description": { + "time_field": "@timestamp" + }, + "custom_settings": { + "created_by": "ml-module-security-linux-v3", + "custom_urls": [ + { + "url_name": "Host Details by process name", + "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Host Details by user name", + "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by process name", + "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by user name", + "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + } + ] + } + } \ No newline at end of file diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_linux_system_user_discovery.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_linux_system_user_discovery.json new file mode 100644 index 0000000000000..487bcd1e144c1 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_linux_system_user_discovery.json @@ -0,0 +1,55 @@ +{ + "job_type": "anomaly_detector", + "description": "Security: Linux - Looks for commands related to system user or owner discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system owner or user discovery to identify currently active or primary users of a system. This may be a precursor to additional discovery, credential dumping, or privilege elevation activity.", + "groups": [ + "security", + "auditbeat", + "endpoint", + "linux", + "process" + ], + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "rare by \"user.name\"", + "function": "rare", + "by_field_name": "user.name" + } + ], + "influencers": [ + "process.name", + "host.name", + "process.args", + "user.name" + ] + }, + "allow_lazy_open": true, + "analysis_limits": { + "model_memory_limit": "16mb" + }, + "data_description": { + "time_field": "@timestamp" + }, + "custom_settings": { + "created_by": "ml-module-security-linux-v3", + "custom_urls": [ + { + "url_name": "Host Details by process name", + "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Host Details by user name", + "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by process name", + "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by user name", + "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + } + ] + } + } diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_rare_process_by_host_linux_ecs.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_rare_process_by_host_linux_ecs.json new file mode 100644 index 0000000000000..76ee9f53f443c --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux_v3/ml/v3_rare_process_by_host_linux_ecs.json @@ -0,0 +1,58 @@ +{ + "job_type": "anomaly_detector", + "description": "Security: Linux - Looks for processes that are unusual to a particular Linux host. Such unusual processes may indicate unauthorized services, malware, or persistence mechanisms.", + "groups": [ + "auditbeat", + "endpoint", + "linux", + "process", + "security" + ], + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "rare process executions on Linux", + "function": "rare", + "by_field_name": "process.name", + "partition_field_name": "host.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "process.name", + "user.name" + ] + }, + "allow_lazy_open": true, + "analysis_limits": { + "model_memory_limit": "256mb", + "categorization_examples_limit": 4 + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-security-linux", + "custom_urls": [ + { + "url_name": "Host Details by process name", + "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Host Details by user name", + "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by process name", + "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by user name", + "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + } + ] + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/logo.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/logo.json new file mode 100644 index 0000000000000..1a8759749131a --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/logo.json @@ -0,0 +1,3 @@ +{ + "icon": "logoSecurity" +} \ No newline at end of file diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/manifest.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/manifest.json new file mode 100644 index 0000000000000..167b96b510466 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/manifest.json @@ -0,0 +1,148 @@ +{ + "id": "security_windows_v3", + "title": "Security: Windows v3 (2022)", + "description": "This module contains all shipping ML jobs for Windows host based threat hunting and detection. This module is a replacement for the v2 Windows module named Security: Windows.", + "type": "windows data", + "logoFile": "logo.json", + "defaultIndexPattern": "winlogbeat-*,logs-*", + "query": { + "bool": { + "must": [ + { + "bool": { + "should": [ + { + "match": { + "host.os.family": { + "query": "windows", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.type": { + "query": "windows", + "operator": "OR" + } + } + } + ] + } + } + ] + } + }, + "jobs": [ + { + "id": "v3_windows_anomalous_service", + "file": "v3_windows_anomalous_service.json" + }, + { + "id": "v3_windows_rare_user_runas_event", + "file": "v3_windows_rare_user_runas_event.json" + }, + { + "id": "v3_windows_rare_user_type10_remote_login", + "file": "v3_windows_rare_user_type10_remote_login.json" + }, + { + "id": "v3_rare_process_by_host_windows_ecs", + "file": "v3_rare_process_by_host_windows_ecs.json" + }, + { + "id": "v3_windows_anomalous_network_activity_ecs", + "file": "v3_windows_anomalous_network_activity_ecs.json" + }, + { + "id": "v3_windows_anomalous_path_activity_ecs", + "file": "v3_windows_anomalous_path_activity_ecs.json" + }, + { + "id": "v3_windows_anomalous_process_all_hosts_ecs", + "file": "v3_windows_anomalous_process_all_hosts_ecs.json" + }, + { + "id": "v3_windows_anomalous_process_creation", + "file": "v3_windows_anomalous_process_creation.json" + }, + { + "id": "v3_windows_anomalous_user_name_ecs", + "file": "v3_windows_anomalous_user_name_ecs.json" + }, + { + "id": "v3_windows_rare_metadata_process", + "file": "v3_windows_rare_metadata_process.json" + }, + { + "id": "v3_windows_rare_metadata_user", + "file": "v3_windows_rare_metadata_user.json" + }, + { + "id": "v3_windows_anomalous_script", + "file": "v3_windows_anomalous_script.json" + } + ], + "datafeeds": [ + { + "id": "datafeed-v3_windows_anomalous_service", + "file": "datafeed_v3_windows_anomalous_service.json", + "job_id": "v3_windows_anomalous_service" + }, + { + "id": "datafeed-v3_windows_rare_user_runas_event", + "file": "datafeed_v3_windows_rare_user_runas_event.json", + "job_id": "v3_windows_rare_user_runas_event" + }, + { + "id": "datafeed-v3_windows_rare_user_type10_remote_login", + "file": "datafeed_v3_windows_rare_user_type10_remote_login.json", + "job_id": "v3_windows_rare_user_type10_remote_login" + }, + { + "id": "datafeed-v3_rare_process_by_host_windows_ecs", + "file": "datafeed_v3_rare_process_by_host_windows_ecs.json", + "job_id": "v3_rare_process_by_host_windows_ecs" + }, + { + "id": "datafeed-v3_windows_anomalous_network_activity_ecs", + "file": "datafeed_v3_windows_anomalous_network_activity_ecs.json", + "job_id": "v3_windows_anomalous_network_activity_ecs" + }, + { + "id": "datafeed-v3_windows_anomalous_path_activity_ecs", + "file": "datafeed_v3_windows_anomalous_path_activity_ecs.json", + "job_id": "v3_windows_anomalous_path_activity_ecs" + }, + { + "id": "datafeed-v3_windows_anomalous_process_all_hosts_ecs", + "file": "datafeed_v3_windows_anomalous_process_all_hosts_ecs.json", + "job_id": "v3_windows_anomalous_process_all_hosts_ecs" + }, + { + "id": "datafeed-v3_windows_anomalous_process_creation", + "file": "datafeed_v3_windows_anomalous_process_creation.json", + "job_id": "v3_windows_anomalous_process_creation" + }, + { + "id": "datafeed-v3_windows_anomalous_user_name_ecs", + "file": "datafeed_v3_windows_anomalous_user_name_ecs.json", + "job_id": "v3_windows_anomalous_user_name_ecs" + }, + { + "id": "datafeed-v3_windows_rare_metadata_process", + "file": "datafeed_v3_windows_rare_metadata_process.json", + "job_id": "v3_windows_rare_metadata_process" + }, + { + "id": "datafeed-v3_windows_rare_metadata_user", + "file": "datafeed_v3_windows_rare_metadata_user.json", + "job_id": "v3_windows_rare_metadata_user" + }, + { + "id": "datafeed-v3_windows_anomalous_script", + "file": "datafeed_v3_windows_anomalous_script.json", + "job_id": "v3_windows_anomalous_script" + } + ] +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/datafeed_v3_rare_process_by_host_windows_ecs.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/datafeed_v3_rare_process_by_host_windows_ecs.json new file mode 100644 index 0000000000000..5673d6e25b414 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/datafeed_v3_rare_process_by_host_windows_ecs.json @@ -0,0 +1,47 @@ +{ + "job_id": "v3_rare_process_by_host_windows_ecs", + "indices": [ + "INDEX_PATTERN_NAME" + ], + "max_empty_searches": 10, + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "process" + } + }, + { + "term": { + "event.type": "start" + } + } + ], + "must": [ + { + "bool": { + "should": [ + { + "match": { + "host.os.family": { + "query": "windows", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.type": { + "query": "windows", + "operator": "OR" + } + } + } + ] + } + } + ] + } + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/datafeed_v3_windows_anomalous_network_activity_ecs.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/datafeed_v3_windows_anomalous_network_activity_ecs.json new file mode 100644 index 0000000000000..5b35109bc0f13 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/datafeed_v3_windows_anomalous_network_activity_ecs.json @@ -0,0 +1,71 @@ +{ + "job_id": "v3_windows_anomalous_network_activity_ecs", + "indices": [ + "INDEX_PATTERN_NAME" + ], + "max_empty_searches": 10, + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "network" + } + }, + { + "term": { + "event.type": "start" + } + } + ], + "must": [ + { + "bool": { + "should": [ + { + "match": { + "host.os.family": { + "query": "windows", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.type": { + "query": "windows", + "operator": "OR" + } + } + } + ] + } + } + ], + "must_not": [ + { + "bool": { + "should": [ + { + "term": { + "destination.ip": "127.0.0.1" + } + }, + { + "term": { + "destination.ip": "127.0.0.53" + } + }, + { + "term": { + "destination.ip": "::1" + } + } + ], + "minimum_should_match": 1 + } + } + ] + } + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/datafeed_v3_windows_anomalous_path_activity_ecs.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/datafeed_v3_windows_anomalous_path_activity_ecs.json new file mode 100644 index 0000000000000..9ca168b0943ba --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/datafeed_v3_windows_anomalous_path_activity_ecs.json @@ -0,0 +1,47 @@ +{ + "job_id": "v3_windows_anomalous_path_activity_ecs", + "indices": [ + "INDEX_PATTERN_NAME" + ], + "max_empty_searches": 10, + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "process" + } + }, + { + "term": { + "event.type": "start" + } + } + ], + "must": [ + { + "bool": { + "should": [ + { + "match": { + "host.os.family": { + "query": "windows", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.type": { + "query": "windows", + "operator": "OR" + } + } + } + ] + } + } + ] + } + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/datafeed_v3_windows_anomalous_process_all_hosts_ecs.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/datafeed_v3_windows_anomalous_process_all_hosts_ecs.json new file mode 100644 index 0000000000000..c21f5a0d6da46 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/datafeed_v3_windows_anomalous_process_all_hosts_ecs.json @@ -0,0 +1,47 @@ +{ + "job_id": "v3_windows_anomalous_process_all_hosts_ecs", + "indices": [ + "INDEX_PATTERN_NAME" + ], + "max_empty_searches": 10, + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "process" + } + }, + { + "term": { + "event.type": "start" + } + } + ], + "must": [ + { + "bool": { + "should": [ + { + "match": { + "host.os.family": { + "query": "windows", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.type": { + "query": "windows", + "operator": "OR" + } + } + } + ] + } + } + ] + } + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/datafeed_v3_windows_anomalous_process_creation.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/datafeed_v3_windows_anomalous_process_creation.json new file mode 100644 index 0000000000000..abae5cdbded28 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/datafeed_v3_windows_anomalous_process_creation.json @@ -0,0 +1,47 @@ +{ + "job_id": "v3_windows_anomalous_process_creation", + "indices": [ + "INDEX_PATTERN_NAME" + ], + "max_empty_searches": 10, + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "process" + } + }, + { + "term": { + "event.type": "start" + } + } + ], + "must": [ + { + "bool": { + "should": [ + { + "match": { + "host.os.family": { + "query": "windows", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.type": { + "query": "windows", + "operator": "OR" + } + } + } + ] + } + } + ] + } + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/datafeed_v3_windows_anomalous_script.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/datafeed_v3_windows_anomalous_script.json new file mode 100644 index 0000000000000..0e6408abc289e --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/datafeed_v3_windows_anomalous_script.json @@ -0,0 +1,42 @@ +{ + "job_id": "v3_windows_anomalous_script", + "indices": [ + "INDEX_PATTERN_NAME" + ], + "max_empty_searches": 10, + "query": { + "bool": { + "filter": [ + { + "term": { + "event.provider": "Microsoft-Windows-PowerShell" + } + } + ], + "must": [ + { + "bool": { + "should": [ + { + "match": { + "host.os.family": { + "query": "windows", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.type": { + "query": "windows", + "operator": "OR" + } + } + } + ] + } + } + ] + } + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/datafeed_v3_windows_anomalous_service.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/datafeed_v3_windows_anomalous_service.json new file mode 100644 index 0000000000000..1fbcc18c40305 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/datafeed_v3_windows_anomalous_service.json @@ -0,0 +1,42 @@ +{ + "job_id": "v3_windows_anomalous_service", + "indices": [ + "INDEX_PATTERN_NAME" + ], + "max_empty_searches": 10, + "query": { + "bool": { + "filter": [ + { + "term": { + "event.code": "7045" + } + } + ], + "must": [ + { + "bool": { + "should": [ + { + "match": { + "host.os.family": { + "query": "windows", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.type": { + "query": "windows", + "operator": "OR" + } + } + } + ] + } + } + ] + } + } +} \ No newline at end of file diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/datafeed_v3_windows_anomalous_user_name_ecs.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/datafeed_v3_windows_anomalous_user_name_ecs.json new file mode 100644 index 0000000000000..d1ef514039173 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/datafeed_v3_windows_anomalous_user_name_ecs.json @@ -0,0 +1,47 @@ +{ + "job_id": "v3_windows_anomalous_user_name_ecs", + "indices": [ + "INDEX_PATTERN_NAME" + ], + "max_empty_searches": 10, + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "process" + } + }, + { + "term": { + "event.type": "start" + } + } + ], + "must": [ + { + "bool": { + "should": [ + { + "match": { + "host.os.family": { + "query": "windows", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.type": { + "query": "windows", + "operator": "OR" + } + } + } + ] + } + } + ] + } + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/datafeed_v3_windows_rare_metadata_process.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/datafeed_v3_windows_rare_metadata_process.json new file mode 100644 index 0000000000000..29f2ff938ad96 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/datafeed_v3_windows_rare_metadata_process.json @@ -0,0 +1,23 @@ +{ + "job_id": "v3_windows_rare_metadata_process", + "indices": [ + "INDEX_PATTERN_NAME" + ], + "max_empty_searches": 10, + "query": { + "bool": { + "filter": [ + { + "term": { + "host.os.family": "windows" + } + }, + { + "term": { + "destination.ip": "169.254.169.254" + } + } + ] + } + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/datafeed_v3_windows_rare_metadata_user.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/datafeed_v3_windows_rare_metadata_user.json new file mode 100644 index 0000000000000..48d80d4e0bdae --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/datafeed_v3_windows_rare_metadata_user.json @@ -0,0 +1,23 @@ +{ + "job_id": "v3_windows_rare_metadata_user", + "indices": [ + "INDEX_PATTERN_NAME" + ], + "max_empty_searches": 10, + "query": { + "bool": { + "filter": [ + { + "term": { + "host.os.family": "windows" + } + }, + { + "term": { + "destination.ip": "169.254.169.254" + } + } + ] + } + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/datafeed_v3_windows_rare_user_runas_event.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/datafeed_v3_windows_rare_user_runas_event.json new file mode 100644 index 0000000000000..0ee0b5bd4288c --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/datafeed_v3_windows_rare_user_runas_event.json @@ -0,0 +1,42 @@ +{ + "job_id": "v3_windows_rare_user_runas_event", + "indices": [ + "INDEX_PATTERN_NAME" + ], + "max_empty_searches": 10, + "query": { + "bool": { + "filter": [ + { + "term": { + "event.code": "4648" + } + } + ], + "must": [ + { + "bool": { + "should": [ + { + "match": { + "host.os.family": { + "query": "windows", + "operator": "OR" + } + } + }, + { + "match": { + "host.os.type": { + "query": "windows", + "operator": "OR" + } + } + } + ] + } + } + ] + } + } + } \ No newline at end of file diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/datafeed_v3_windows_rare_user_type10_remote_login.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/datafeed_v3_windows_rare_user_type10_remote_login.json new file mode 100644 index 0000000000000..3619ce19681ae --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/datafeed_v3_windows_rare_user_type10_remote_login.json @@ -0,0 +1,42 @@ +{ + "job_id": "v3_windows_rare_user_type10_remote_login", + "indices": [ + "INDEX_PATTERN_NAME" + ], + "max_empty_searches": 10, + "query": { + "bool": { + "filter": [ + { + "term": { + "winlog.event_data.LogonType": "10" + } + } + ], + "must": [ + { + "bool": { + "should": [ + { + "match": { + "event.type": { + "query": "authentication_success", + "operator": "OR" + } + } + }, + { + "match": { + "event.action": { + "query": "logged-in", + "operator": "OR" + } + } + } + ] + } + } + ] + } + } + } \ No newline at end of file diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/v3_rare_process_by_host_windows_ecs.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/v3_rare_process_by_host_windows_ecs.json new file mode 100644 index 0000000000000..d8e81126321a1 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/v3_rare_process_by_host_windows_ecs.json @@ -0,0 +1,60 @@ +{ + "job_type": "anomaly_detector", + "description": "Security: Windows - Detects unusually rare processes on Windows hosts.", + "groups": [ + "endpoint", + "event-log", + "process", + "security", + "sysmon", + "windows", + "winlogbeat" + ], + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "rare process executions on Windows", + "function": "rare", + "by_field_name": "process.name", + "partition_field_name": "host.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "process.name", + "user.name" + ] + }, + "allow_lazy_open": true, + "analysis_limits": { + "model_memory_limit": "256mb", + "categorization_examples_limit": 4 + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-security-windows", + "custom_urls": [ + { + "url_name": "Host Details by process name", + "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Host Details by user name", + "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by process name", + "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by user name", + "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + } + ] + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/v3_windows_anomalous_network_activity_ecs.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/v3_windows_anomalous_network_activity_ecs.json new file mode 100644 index 0000000000000..534294632c1ad --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/v3_windows_anomalous_network_activity_ecs.json @@ -0,0 +1,59 @@ +{ + "job_type": "anomaly_detector", + "description": "Security: Windows - Looks for unusual processes using the network which could indicate command-and-control, lateral movement, persistence, or data exfiltration activity.", + "groups": [ + "endpoint", + "network", + "security", + "sysmon", + "windows", + "winlogbeat" + ], + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "rare by \"process.name\"", + "function": "rare", + "by_field_name": "process.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "process.name", + "user.name", + "destination.ip" + ] + }, + "allow_lazy_open": true, + "analysis_limits": { + "model_memory_limit": "64mb", + "categorization_examples_limit": 4 + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-security-windows", + "custom_urls": [ + { + "url_name": "Host Details by process name", + "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Host Details by user name", + "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by process name", + "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by user name", + "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + } + ] + } +} \ No newline at end of file diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/v3_windows_anomalous_path_activity_ecs.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/v3_windows_anomalous_path_activity_ecs.json new file mode 100644 index 0000000000000..6f5179c6f3bc2 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/v3_windows_anomalous_path_activity_ecs.json @@ -0,0 +1,58 @@ +{ + "job_type": "anomaly_detector", + "description": "Security: Windows - Looks for activity in unusual paths that may indicate execution of malware or persistence mechanisms. Windows payloads often execute from user profile paths.", + "groups": [ + "endpoint", + "network", + "security", + "sysmon", + "windows", + "winlogbeat" + ], + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "rare by \"process.working_directory\"", + "function": "rare", + "by_field_name": "process.working_directory", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "process.name", + "user.name" + ] + }, + "allow_lazy_open": true, + "analysis_limits": { + "model_memory_limit": "256mb", + "categorization_examples_limit": 4 + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-security-windows", + "custom_urls": [ + { + "url_name": "Host Details by process name", + "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Host Details by user name", + "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by process name", + "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by user name", + "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + } + ] + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/v3_windows_anomalous_process_all_hosts_ecs.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/v3_windows_anomalous_process_all_hosts_ecs.json new file mode 100644 index 0000000000000..090b49716741c --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/v3_windows_anomalous_process_all_hosts_ecs.json @@ -0,0 +1,59 @@ +{ + "job_type": "anomaly_detector", + "description": "Security: Windows - Looks for processes that are unusual to all Windows hosts. Such unusual processes may indicate execution of unauthorized services, malware, or persistence mechanisms.", + "groups": [ + "endpoint", + "event-log", + "process", + "security", + "sysmon", + "windows", + "winlogbeat" + ], + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "rare by \"process.executable\"", + "function": "rare", + "by_field_name": "process.executable", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "process.name", + "user.name" + ] + }, + "allow_lazy_open": true, + "analysis_limits": { + "model_memory_limit": "256mb", + "categorization_examples_limit": 4 + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-security-windows", + "custom_urls": [ + { + "url_name": "Host Details by process name", + "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Host Details by user name", + "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by process name", + "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by user name", + "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + } + ] + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/v3_windows_anomalous_process_creation.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/v3_windows_anomalous_process_creation.json new file mode 100644 index 0000000000000..88e5288ec5660 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/v3_windows_anomalous_process_creation.json @@ -0,0 +1,60 @@ +{ + "job_type": "anomaly_detector", + "description": "Security: Windows - Looks for unusual process relationships which may indicate execution of malware or persistence mechanisms.", + "groups": [ + "endpoint", + "event-log", + "process", + "security", + "sysmon", + "windows", + "winlogbeat" + ], + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "Unusual process creation activity", + "function": "rare", + "by_field_name": "process.name", + "partition_field_name": "process.parent.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "process.name", + "user.name" + ] + }, + "allow_lazy_open": true, + "analysis_limits": { + "model_memory_limit": "256mb", + "categorization_examples_limit": 4 + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-security-windows", + "custom_urls": [ + { + "url_name": "Host Details by process name", + "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Host Details by user name", + "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by process name", + "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by user name", + "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + } + ] + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/v3_windows_anomalous_script.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/v3_windows_anomalous_script.json new file mode 100644 index 0000000000000..fc13304c55ef3 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/v3_windows_anomalous_script.json @@ -0,0 +1,46 @@ +{ + "job_type": "anomaly_detector", + "description": "Looks for unusual powershell scripts that may indicate execution of malware, or persistence mechanisms.", + "groups": [ + "endpoint", + "event-log", + "process", + "windows", + "winlogbeat", + "powershell" + ], + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "high_info_content(\"powershell.file.script_block_text\")", + "function": "high_info_content", + "field_name": "powershell.file.script_block_text" + } + ], + "influencers": [ + "host.name", + "user.name", + "file.Path" + ] + }, + "allow_lazy_open": true, + "analysis_limits": { + "model_memory_limit": "256mb" + }, + "data_description": { + "time_field": "@timestamp" + }, + "custom_settings": { + "custom_urls": [ + { + "url_name": "Host Details by user name", + "url_value": "siem#/ml-hosts/$host.name$?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:hosts.details,type:details)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by user name", + "url_value": "siem#/ml-hosts?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:hosts.page,type:page)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + } + ] + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/v3_windows_anomalous_service.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/v3_windows_anomalous_service.json new file mode 100644 index 0000000000000..a61385b16ad53 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/v3_windows_anomalous_service.json @@ -0,0 +1,43 @@ +{ + "job_type": "anomaly_detector", + "groups": [ + "endpoint", + "event-log", + "process", + "security", + "sysmon", + "windows", + "winlogbeat" + ], + "description": "Security: Windows - Looks for rare and unusual Windows services which may indicate execution of unauthorized services, malware, or persistence mechanisms.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "rare by \"winlog.event_data.ServiceName\"", + "function": "rare", + "by_field_name": "winlog.event_data.ServiceName" + } + ], + "influencers": [ + "host.name", + "winlog.event_data.ServiceName" + ] + }, + "allow_lazy_open": true, + "analysis_limits": { + "model_memory_limit": "256mb" + }, + "data_description": { + "time_field": "@timestamp" + }, + "custom_settings": { + "created_by": "ml-module-security-windows-v3", + "custom_urls": [ + { + "url_name": "Host Details", + "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + } + ] + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/v3_windows_anomalous_user_name_ecs.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/v3_windows_anomalous_user_name_ecs.json new file mode 100644 index 0000000000000..1a6cad88c4b78 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/v3_windows_anomalous_user_name_ecs.json @@ -0,0 +1,59 @@ +{ + "job_type": "anomaly_detector", + "description": "Security: Windows - Rare and unusual users that are not normally active may indicate unauthorized changes or activity by an unauthorized user which may be credentialed access or lateral movement.", + "groups": [ + "endpoint", + "event-log", + "process", + "security", + "sysmon", + "windows", + "winlogbeat" + ], + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "rare by \"user.name\"", + "function": "rare", + "by_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "process.name", + "user.name" + ] + }, + "allow_lazy_open": true, + "analysis_limits": { + "model_memory_limit": "256mb", + "categorization_examples_limit": 4 + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-security-windows", + "custom_urls": [ + { + "url_name": "Host Details by process name", + "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Host Details by user name", + "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by process name", + "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by user name", + "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + } + ] + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/v3_windows_rare_metadata_process.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/v3_windows_rare_metadata_process.json new file mode 100644 index 0000000000000..5f752aecd355b --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/v3_windows_rare_metadata_process.json @@ -0,0 +1,40 @@ +{ + "job_type": "anomaly_detector", + "description": "Security: Windows - Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", + "groups": [ + "security", + "endpoint", + "process", + "sysmon", + "windows", + "winlogbeat" + ], + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "rare by \"process.name\"", + "function": "rare", + "by_field_name": "process.name", + "detector_index": 0 + } + ], + "influencers": [ + "process.name", + "host.name", + "user.name" + ] + }, + "allow_lazy_open": true, + "analysis_limits": { + "model_memory_limit": "32mb", + "categorization_examples_limit": 4 + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-security-windows" + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/v3_windows_rare_metadata_user.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/v3_windows_rare_metadata_user.json new file mode 100644 index 0000000000000..4462f16cc53e4 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/v3_windows_rare_metadata_user.json @@ -0,0 +1,39 @@ +{ + "job_type": "anomaly_detector", + "description": "Security: Windows - Looks for anomalous access to the metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", + "groups": [ + "endpoint", + "process", + "security", + "sysmon", + "windows", + "winlogbeat" + ], + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "rare by \"user.name\"", + "function": "rare", + "by_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "user.name" + ] + }, + "allow_lazy_open": true, + "analysis_limits": { + "model_memory_limit": "32mb", + "categorization_examples_limit": 4 + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-security-windows" + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/v3_windows_rare_user_runas_event.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/v3_windows_rare_user_runas_event.json new file mode 100644 index 0000000000000..32fb6a7242956 --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/v3_windows_rare_user_runas_event.json @@ -0,0 +1,55 @@ +{ + "job_type": "anomaly_detector", + "description": "Security: Windows - Unusual user context switches can be due to privilege escalation.", + "groups": [ + "endpoint", + "event-log", + "security", + "windows", + "winlogbeat", + "authentication" + ], + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "rare by \"user.name\"", + "function": "rare", + "by_field_name": "user.name" + } + ], + "influencers": [ + "host.name", + "process.name", + "user.name" + ] + }, + "allow_lazy_open": true, + "analysis_limits": { + "model_memory_limit": "128mb" + }, + "data_description": { + "time_field": "@timestamp" + }, + "custom_settings": { + "created_by": "ml-module-security-windows-v3", + "custom_urls": [ + { + "url_name": "Host Details by process name", + "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Host Details by user name", + "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by process name", + "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by user name", + "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + } + ] + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/v3_windows_rare_user_type10_remote_login.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/v3_windows_rare_user_type10_remote_login.json new file mode 100644 index 0000000000000..55b07677c861e --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_windows_v3/ml/v3_windows_rare_user_type10_remote_login.json @@ -0,0 +1,55 @@ +{ + "job_type": "anomaly_detector", + "description": "Security: Windows - Unusual RDP (remote desktop protocol) user logins can indicate account takeover or credentialed access.", + "groups": [ + "endpoint", + "event-log", + "security", + "windows", + "winlogbeat", + "authentication" + ], + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "rare by \"user.name\"", + "function": "rare", + "by_field_name": "user.name" + } + ], + "influencers": [ + "host.name", + "process.name", + "user.name" + ] + }, + "allow_lazy_open": true, + "analysis_limits": { + "model_memory_limit": "128mb" + }, + "data_description": { + "time_field": "@timestamp" + }, + "custom_settings": { + "created_by": "ml-module-security-windows-v3", + "custom_urls": [ + { + "url_name": "Host Details by process name", + "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Host Details by user name", + "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by process name", + "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + }, + { + "url_name": "Hosts Overview by user name", + "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))" + } + ] + } +} diff --git a/x-pack/plugins/security_solution/public/common/components/ml_popover/ml_modules.tsx b/x-pack/plugins/security_solution/public/common/components/ml_popover/ml_modules.tsx index e7199f6df2b1f..8f3e25fee05a6 100644 --- a/x-pack/plugins/security_solution/public/common/components/ml_popover/ml_modules.tsx +++ b/x-pack/plugins/security_solution/public/common/components/ml_popover/ml_modules.tsx @@ -21,4 +21,6 @@ export const mlModules: string[] = [ 'security_linux', 'security_network', 'security_windows', + 'security_linux_v3', + 'security_windows_v3', ]; diff --git a/x-pack/test/api_integration/apis/ml/modules/get_module.ts b/x-pack/test/api_integration/apis/ml/modules/get_module.ts index b36b67bbb813b..4363e43776744 100644 --- a/x-pack/test/api_integration/apis/ml/modules/get_module.ts +++ b/x-pack/test/api_integration/apis/ml/modules/get_module.ts @@ -30,8 +30,10 @@ const moduleIds = [ 'sample_data_weblogs', 'security_auth', 'security_linux', + 'security_linux_v3', 'security_network', 'security_windows', + 'security_windows_v3', 'siem_auditbeat', 'siem_auditbeat_auth', 'siem_cloudtrail', diff --git a/x-pack/test/api_integration/apis/ml/modules/recognize_module.ts b/x-pack/test/api_integration/apis/ml/modules/recognize_module.ts index 0cfa90a8c3a88..b8d659db47620 100644 --- a/x-pack/test/api_integration/apis/ml/modules/recognize_module.ts +++ b/x-pack/test/api_integration/apis/ml/modules/recognize_module.ts @@ -98,6 +98,7 @@ export default ({ getService }: FtrProviderContext) => { 'security_auth', 'security_network', 'security_windows', + 'security_windows_v3', 'siem_winlogbeat', 'siem_winlogbeat_auth', ], @@ -129,7 +130,12 @@ export default ({ getService }: FtrProviderContext) => { user: USER.ML_POWERUSER, expected: { responseCode: 200, - moduleIds: ['auditbeat_process_hosts_ecs', 'security_linux', 'siem_auditbeat'], + moduleIds: [ + 'auditbeat_process_hosts_ecs', + 'security_linux', + 'security_linux_v3', + 'siem_auditbeat', + ], }, }, { @@ -139,7 +145,14 @@ export default ({ getService }: FtrProviderContext) => { user: USER.ML_POWERUSER, expected: { responseCode: 200, - moduleIds: ['security_auth', 'security_linux', 'security_network', 'security_windows'], + moduleIds: [ + 'security_auth', + 'security_linux', + 'security_linux_v3', + 'security_network', + 'security_windows', + 'security_windows_v3', + ], }, }, { @@ -149,7 +162,7 @@ export default ({ getService }: FtrProviderContext) => { user: USER.ML_POWERUSER, expected: { responseCode: 200, - moduleIds: ['metricbeat_system_ecs', 'security_linux'], + moduleIds: ['metricbeat_system_ecs', 'security_linux', 'security_linux_v3'], }, }, { @@ -169,7 +182,7 @@ export default ({ getService }: FtrProviderContext) => { user: USER.ML_POWERUSER, expected: { responseCode: 200, - moduleIds: ['security_linux'], // the metrics ui modules don't define a query and can't be recognized + moduleIds: ['security_linux', 'security_linux_v3'], // the metrics ui modules don't define a query and can't be recognized }, }, {