Updates to pre-built Security ML jobs

x-pack/plugins/ml/server/models/data_recognizer/modules/security_auth/manifest.json

@@ -2,7 +2,7 @@
   "id": "security_auth",
   "title": "Security: Authentication",
   "description": "Detect anomalous activity in your ECS-compatible authentication logs.",
-  "type": "auth data",
+  "type": "Auth data",
   "logoFile": "logo.json",
   "defaultIndexPattern": "auditbeat-*,logs-*,filebeat-*,winlogbeat-*",
   "query": {
@@ -14,7 +14,7 @@
           }
         }
       ],
-      "must_not": { "terms": { "_tier": [ "data_frozen", "data_cold" ] } }
+      "must_not": { "terms": { "_tier": ["data_frozen", "data_cold"] } }
     }
   },
   "jobs": [

x-pack/plugins/ml/server/models/data_recognizer/modules/security_auth/ml/auth_high_count_logon_events.json

@@ -1,20 +1,16 @@
 {
   "description": "Security: Authentication - Looks for an unusually large spike in successful authentication events. This can be due to password spraying, user enumeration, or brute force activity.",
-  "groups": [
-    "security",
-    "authentication"
-  ],
+  "groups": ["security", "authentication"],
   "analysis_config": {
     "bucket_span": "15m",
     "detectors": [
       {
-        "detector_description": "high count of logon events",
+        "detector_description": "Detects high count of logon events.",
         "function": "high_non_zero_count",
         "detector_index": 0
       }
     ],
-    "influencers": [],
-    "model_prune_window": "30d"
+    "influencers": ["source.ip", "winlog.event_data.LogonType", "user.name", "host.name"]
   },
   "allow_lazy_open": true,
   "analysis_limits": {
@@ -25,6 +21,8 @@
   },
   "custom_settings": {
     "created_by": "ml-module-security-auth",
-    "security_app_display_name": "Spike in Logon Events"
+    "security_app_display_name": "Spike in Logon Events",
+    "managed": true,
+    "job_revision": 4
   }
 }

x-pack/plugins/ml/server/models/data_recognizer/modules/security_auth/ml/auth_high_count_logon_events_for_a_source_ip.json

@@ -1,25 +1,17 @@
 {
   "description": "Security: Authentication - Looks for an unusually large spike in successful authentication events from a particular source IP address. This can be due to password spraying, user enumeration, or brute force activity.",
-  "groups": [
-    "security",
-    "authentication"
-  ],
+  "groups": ["security", "authentication"],
   "analysis_config": {
     "bucket_span": "15m",
     "detectors": [
       {
-        "detector_description": "high count of auth events for a source IP",
+        "detector_description": "Detects high count of auth events for a source IP.",
         "function": "high_non_zero_count",
         "by_field_name": "source.ip",
         "detector_index": 0
       }
     ],
-    "influencers": [
-      "source.ip",
-      "winlog.event_data.LogonType",
-      "user.name"
-    ],
-    "model_prune_window": "30d"
+    "influencers": ["source.ip", "winlog.event_data.LogonType", "user.name", "host.name"]
   },
   "allow_lazy_open": true,
   "analysis_limits": {
@@ -30,6 +22,8 @@
   },
   "custom_settings": {
     "created_by": "ml-module-security-auth",
-    "security_app_display_name": "Spike in Logon Events from a Source IP"
+    "security_app_display_name": "Spike in Logon Events from a Source IP",
+    "managed": true,
+    "job_revision": 4
   }
 }

x-pack/plugins/ml/server/models/data_recognizer/modules/security_auth/ml/auth_high_count_logon_fails.json

@@ -1,20 +1,16 @@
 {
   "description": "Security: Authentication - Looks for an unusually large spike in authentication failure events. This can be due to password spraying, user enumeration, or brute force activity and may be a precursor to account takeover or credentialed access.",
-  "groups": [
-    "security",
-    "authentication"
-  ],
+  "groups": ["security", "authentication"],
   "analysis_config": {
     "bucket_span": "15m",
     "detectors": [
       {
-        "detector_description": "high count of logon fails",
+        "detector_description": "Detects high count of logon fails.",
         "function": "high_non_zero_count",
         "detector_index": 0
       }
     ],
-    "influencers": [],
-    "model_prune_window": "30d"
+    "influencers": ["source.ip", "user.name", "host.name"]
   },
   "allow_lazy_open": true,
   "analysis_limits": {
@@ -25,6 +21,8 @@
   },
   "custom_settings": {
     "created_by": "ml-module-security-auth",
-    "security_app_display_name": "Spike in Failed Logon Events"
+    "security_app_display_name": "Spike in Failed Logon Events",
+    "managed": true,
+    "job_revision": 4
   }
 }

x-pack/plugins/ml/server/models/data_recognizer/modules/security_auth/ml/auth_rare_hour_for_a_user.json

@@ -1,23 +1,17 @@
 {
-  "description": "Security: Authentication - looks for a user logging in at a time of day that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different time zones. In addition, unauthorized user activity often takes place during non-business hours.",
-  "groups": [
-    "security",
-    "authentication"
-  ],
+  "description": "Security: Authentication - Looks for a user logging in at a time of day that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different time zones. In addition, unauthorized user activity often takes place during non-business hours.",
+  "groups": ["security", "authentication"],
   "analysis_config": {
     "bucket_span": "15m",
     "detectors": [
       {
-        "detector_description": "rare hour for a user",
+        "detector_description": "Detects rare hour for a user.",
         "function": "time_of_day",
         "by_field_name": "user.name",
         "detector_index": 0
       }
     ],
-    "influencers": [
-      "source.ip",
-      "user.name"
-    ]
+    "influencers": ["source.ip", "user.name", "host.name"]
   },
   "allow_lazy_open": true,
   "analysis_limits": {
@@ -28,6 +22,8 @@
   },
   "custom_settings": {
     "created_by": "ml-module-security-auth",
-    "security_app_display_name": "Unusual Hour for a User to Logon"
+    "security_app_display_name": "Unusual Hour for a User to Logon",
+    "managed": true,
+    "job_revision": 4
   }
 }

x-pack/plugins/ml/server/models/data_recognizer/modules/security_auth/ml/auth_rare_source_ip_for_a_user.json

@@ -1,24 +1,18 @@
 {
-  "description": "Security: Authentication - looks for a user logging in from an IP address that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different locations. An unusual source IP address for a username could also be due to lateral movement when a compromised account is used to pivot between hosts.",
-  "groups": [
-    "security",
-    "authentication"
-  ],
+  "description": "Security: Authentication - Looks for a user logging in from an IP address that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different locations. An unusual source IP address for a username could also be due to lateral movement when a compromised account is used to pivot between hosts.",
+  "groups": ["security", "authentication"],
   "analysis_config": {
     "bucket_span": "15m",
     "detectors": [
       {
-        "detector_description": "rare source IP for a user",
+        "detector_description": "Detects rare source IP for a user.",
         "function": "rare",
         "by_field_name": "source.ip",
         "partition_field_name": "user.name",
         "detector_index": 0
       }
     ],
-    "influencers": [
-      "source.ip",
-      "user.name"
-    ]
+    "influencers": ["source.ip", "user.name", "host.name"]
   },
   "allow_lazy_open": true,
   "analysis_limits": {
@@ -29,6 +23,8 @@
   },
   "custom_settings": {
     "created_by": "ml-module-security-auth",
-    "security_app_display_name": "Unusual Source IP for a User to Logon from"
+    "security_app_display_name": "Unusual Source IP for a User to Logon from",
+    "managed": true,
+    "job_revision": 4
   }
 }

x-pack/plugins/ml/server/models/data_recognizer/modules/security_auth/ml/auth_rare_user.json

@@ -1,23 +1,17 @@
 {
-  "description": "Security: Authentication - looks for an unusual user name in the authentication logs. An unusual user name is one way of detecting credentialed access by means of a new or dormant user account. A user account that is normally inactive, because the user has left the organization, which becomes active, may be due to credentialed access using a compromised account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web application.",
-  "groups": [
-    "security",
-    "authentication"
-  ],
+  "description": "Security: Authentication - Looks for an unusual user name in the authentication logs. An unusual user name is one way of detecting credentialed access by means of a new or dormant user account. A user account that is normally inactive, because the user has left the organization, which becomes active, may be due to credentialed access using a compromised account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web application.",
+  "groups": ["security", "authentication"],
   "analysis_config": {
     "bucket_span": "15m",
     "detectors": [
       {
-        "detector_description": "rare user",
+        "detector_description": "Detects rare user authentication.",
         "function": "rare",
         "by_field_name": "user.name",
         "detector_index": 0
       }
     ],
-    "influencers": [
-      "source.ip",
-      "user.name"
-    ]
+    "influencers": ["source.ip", "user.name", "host.name"]
   },
   "allow_lazy_open": true,
   "analysis_limits": {
@@ -28,6 +22,8 @@
   },
   "custom_settings": {
     "created_by": "ml-module-security-auth",
-    "security_app_display_name": "Rare User Logon"
+    "security_app_display_name": "Rare User Logon",
+    "managed": true,
+    "job_revision": 4
   }
 }

x-pack/plugins/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_suspicious_login_activity.json

@@ -1,15 +1,10 @@
 {
   "job_id": "JOB_ID",
-  "indices": [
-    "INDEX_PATTERN_NAME"
-  ],
+  "indices": ["INDEX_PATTERN_NAME"],
   "max_empty_searches": 10,
   "query": {
     "bool": {
-      "filter": [
-        {"term": { "event.category": "authentication" }},
-        {"term": { "agent.type": "auditbeat" }}
-      ]
+      "filter": [{ "term": { "event.category": "authentication" } }]
     }
   }
 }

x-pack/plugins/ml/server/models/data_recognizer/modules/security_auth/ml/suspicious_login_activity.json

@@ -1,24 +1,17 @@
 {
-  "description": "Security: Auditbeat - Detect unusually high number of authentication attempts.",
-  "groups": [
-    "security",
-    "auditbeat",
-    "authentication"
-  ],
+  "description": "Security: Authentication - Detects unusually high number of authentication attempts.",
+  "groups": ["security", "authentication"],
   "analysis_config": {
     "bucket_span": "15m",
     "detectors": [
       {
-        "detector_description": "high number of authentication attempts",
+        "detector_description": "Detects high number of authentication attempts for a host.",
         "function": "high_non_zero_count",
-        "partition_field_name": "host.name"
+        "partition_field_name": "host.name",
+        "detector_index": 0
       }
     ],
-    "influencers": [
-      "host.name",
-      "user.name",
-      "source.ip"
-    ],
+    "influencers": ["host.name", "user.name", "source.ip"],
     "model_prune_window": "30d"
   },
   "allow_lazy_open": true,
@@ -31,11 +24,7 @@
   "custom_settings": {
     "created_by": "ml-module-security-auth",
     "security_app_display_name": "Unusual Login Activity",
-    "custom_urls": [
-      {
-        "url_name": "IP Address Details",
-        "url_value": "security/network/ml-network/ip/$source.ip$?_g=()&query=!n&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
-      }
-    ]
+    "managed": true,
+    "job_revision": 4
   }
 }

x-pack/plugins/ml/server/models/data_recognizer/modules/security_cloudtrail/manifest.json

@@ -1,16 +1,14 @@
 {
   "id": "security_cloudtrail",
   "title": "Security: Cloudtrail",
-  "description": "Detect suspicious activity recorded in your cloudtrail logs.",
-  "type": "Filebeat data",
+  "description": "Detect suspicious activity recorded in Cloudtrail logs.",
+  "type": "Cloudtrail data",
   "logoFile": "logo.json",
-  "defaultIndexPattern": "filebeat-*",
+  "defaultIndexPattern": "logs-*,filebeat-*",
   "query": {
     "bool": {
-      "filter": [
-        {"term": {"event.dataset": "aws.cloudtrail"}}
-      ],
-      "must_not": { "terms": { "_tier": [ "data_frozen", "data_cold" ] } }
+      "filter": [{ "term": { "event.dataset": "aws.cloudtrail" } }],
+      "must_not": { "terms": { "_tier": ["data_frozen", "data_cold"] } }
     }
   },
   "jobs": [

x-pack/plugins/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/high_distinct_count_error_message.json

@@ -1,24 +1,17 @@
 {
   "description": "Security: Cloudtrail - Looks for a spike in the rate of an error message which may simply indicate an impending service failure but these can also be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection activity by a threat actor.",
-  "groups": [
-    "security",
-    "cloudtrail"
-  ],
+  "groups": ["security", "cloudtrail"],
   "analysis_config": {
     "bucket_span": "15m",
     "detectors": [
       {
-        "detector_description": "high_distinct_count(\"aws.cloudtrail.error_message\")",
+        "detector_description": "Detects high distinct count of Cloudtrail error messages.",
         "function": "high_distinct_count",
-        "field_name": "aws.cloudtrail.error_message"
+        "field_name": "aws.cloudtrail.error_message",
+        "detector_index": 0
       }
     ],
-    "influencers": [
-      "aws.cloudtrail.user_identity.arn",
-      "source.ip",
-      "source.geo.city_name"
-    ],
-    "model_prune_window": "30d"
+    "influencers": ["aws.cloudtrail.user_identity.arn", "source.ip", "source.geo.city_name"]
   },
   "allow_lazy_open": true,
   "analysis_limits": {
@@ -29,6 +22,8 @@
   },
   "custom_settings": {
     "created_by": "ml-module-security-cloudtrail",
-    "security_app_display_name": "Spike in AWS Error Messages"
+    "security_app_display_name": "Spike in AWS Error Messages",
+    "managed": true,
+    "job_revision": 4
   }
 }