Adds ML supervised model Problem child package

[alvarezmelissa87]

What does this PR do?

Adds the ML supervised model package for Problem child model.

Package includes:

• pipelines
• ml_module
• ml_model
• security rules

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• If I'm introducing a new feature, I have modified the Kibana version constraint in my package's manifest.yml file to point to the latest Elastic stack release (e.g. ^7.13.0).

Author's Checklist

• [ ]

How to test this PR locally

Related issues

Screenshots

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2022-03-28T14:39:27.986+0000

• Duration: 21 min 46 sec

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[peteharverson]

Is it possible to set a description field for the model, so that something like The Problem child model is used to detect living off the land (LOtl) activity. appears in the models list:

[peteharverson]

As above, could the description here be edited to indicate the field it is running on blocklist_label? I don't have enough context on what information is held in blocklist_label to advise here.

[ajosh0504]

@peteharverson So the way we classify processes as malicious is using either a supervised model or a blocklist for things the model may have missed. I think adding this in the description will introduce complexity.

[peteharverson]

OK. Thanks for explanation @ajosh0504

[peteharverson]

Could we include the field name in the description of this detector - what is it a high sum of?

[peteharverson]

Could we include the field name in the description of this detector - what is it a high sum of?

[ajosh0504]

As above, I think introducing field names in the descriptions might introduce complexity, since users may not know what the fields exactly mean.

[dishadasgupta]

I agree with Apoorva, field names aren't always the most user-centric and don't add that much value (imo) for the complexity they could add

[peteharverson]

Could we include the field name in the description of this detector - what is it a high sum of?

[peteharverson]

Could we include the field name in the description of this detector - what is it a high sum of?

[ajosh0504]

Thanks for getting this done! Super excited to see these models in packages. Just one question. So once a user installs a package, what's the process for them to update/change artifacts produced by the package?

[ajosh0504]

Can we keep the name consistent everywhere? I'm seeing ProblemChild, problem child and ProblemChild being used. We've been going with ProblemChild so far.

[alvarezmelissa87]

Updated to use ProblemChild everywhere in 7d33b9d

[ajosh0504]

Suggested change

	The Problem child model package contains the [Problem child model and associated assets](https://www.elastic.co/blog/problemchild-generate-alerts-to-detect-living-off-the-land-attacks), which are used to detect living off the land (LOtl) activity.
	The Problem child package contains the [Problem child model and associated assets](https://www.elastic.co/blog/problemchild-generate-alerts-to-detect-living-off-the-land-attacks), which are used to detect living off the land (LotL) activity.

[alvarezmelissa87]

Updated in 7d33b9d

[ajosh0504]

@peteharverson So the way we classify processes as malicious is using either a supervised model or a blocklist for things the model may have missed. I think adding this in the description will introduce complexity.

[ajosh0504]

As above, I think introducing field names in the descriptions might introduce complexity, since users may not know what the fields exactly mean.

[ajosh0504]

As with the DGA model, should the model file name here be something more understandable? It's currently problemchild_20210526_1.0.json. This will also need to be changed in the inference pipeline.

---

@ajosh0504 - this file name is the name of the model id since the file name is used to determine the model id to send up to the put trained models api to install it to ES. Filenames being the asset id is consistent with the way fleet installs things.

[dishadasgupta]

Is there a way to make this description a bit clearer? I feel like "pipeline of pipelines" at first read could be a bit confusing

[peteharverson]

How about just Pipelines for ProblemChild detection? Is this label actually shown anywhere in the UI?

[dishadasgupta]

I'm assuming this is within a cluster? Are there any steps needed before this? i.e. ProblemChild requires Platinum level capabilities, is that denoted anywhere (unless I missed it)? Maybe even a quick note in the README would be helpful

[alvarezmelissa87]

The package manifest file has the license type that is required - that is enforced in Fleet and the installation will fail due to failing to meet the required license type.

[alvarezmelissa87]

cc @lcawl for package/model description text in the readme and such.

[brokensound77]

So cool to see this finally going into the product (after being in an experimental state for so long). I left a few suggestions.

@spong FYSA, if I am not mistaken, this and #2352 and the first integrations outside of the prebuilt rules to add rules destined for the detection engine. Not sure if there were any assumptions or considerations to be made.

[brokensound77]

is the line break in the middle intentional?

[brokensound77]

Shouldn't need a trailing one either

[alvarezmelissa87]

These lines breaks were part of the release and haven't been changed. I'd need confirmation that it's okay to remove them.

[spong]

FWIW there doesn't appear to be any issue with rendering (these newlines are ignored):

[brokensound77]

was the \u003e a unicode conversion error?

[alvarezmelissa87]

Yep - fixed! thanks! 7d0d452

[spong]

Hmmm, I'm still seeing this in the latest. The other changes from 7d0d452 appear to have made it though? (i.e. packages/problem_child/manifest.yml title has been updated to ProblemChild instead ML ProblemChild)

[alvarezmelissa87]

Thanks for catching this - this should now be a > instead of the encoded version 👍 Fixed in c3692a17d515ebdd31e95e03652f735d04db5748

[alvarezmelissa87]

@spong - looks like running the elastic-package format command is what's causing the change from > to the encoded version. Is this expected?
cc @mtojek - also - running elastic-package check locally is failing with a reference to the ml_model file name - though the update was made to package-spec to match that file name pattern and I've tested with the package-spec validator test so curious if this could be something going on locally? Might need to chat with you quickly on that one.

[brokensound77]

Oh wow, looks like you are right

integrations/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c.json

Line 16 in 1d18f55

"query": "/* Registry Path ends with backslash */\nregistry where /* length(registry.data.strings) \u003e 0 and */\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\", \n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\", \n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\")\n",

I guess it is ok to leave it converted then 🤷

[mtojek]

What we can see in the CI output is:

[2022-03-18T15:59:14.998Z] Error: checking package failed: formatting the integration failed (path: /var/lib/jenkins/workspace/est-manager_integrations_PR-2115/src/github.com/elastic/integrations/packages/problem_child, failFast: true): walking through the integration files failed: formatting file failed (path: /var/lib/jenkins/workspace/est-manager_integrations_PR-2115/src/github.com/elastic/integrations/packages/problem_child/kibana/security_rule/9a2e372a-cbeb-4ad6-a288-017ef086324c.json): file is not formatted (path: /var/lib/jenkins/workspace/est-manager_integrations_PR-2115/src/github.com/elastic/integrations/packages/problem_child/kibana/security_rule/9a2e372a-cbeb-4ad6-a288-017ef086324c.json)

so it confirms that you have to post the formatted code. Sometimes the formatted code might be harder to read, but we don't have a choice here if we want to depend on standard JSON libraries. Please run elastic-package format and post the formatted content.

[mtojek]

cc @mtojek - also - running elastic-package check locally is failing with a reference to the ml_model file name - though the update was made to package-spec to match that file name pattern and I've tested with the package-spec validator test so curious if this could be something going on locally? Might need to chat with you quickly on that one.

It depends on which elastic-package release you have locally and which one is in the go.mod in the Integrations.

BTW we're struggling a bit with updating the dependency - here.

[brokensound77]

is it worth elaborating on this to explain the relationship between the model, jobs, and rules. I believe the job and rules will be installed but in a disabled state. Also if the rule is enabled before the job, it will throw an error.

The schema for rules accepts defining enabled = true, though I am not totally sure on the ml jobs

[alvarezmelissa87]

How about adding something to the Configuration section of the readme - after the to download the assets bit
Something like Ingest data with the installed ingest pipeline to enrich your indices with inference data and run the provided anomaly detection jobs.

If rules are enabled in the same way as described in https://www.elastic.co/guide/en/security/master/rules-ui-management.html, worst case we can link there. For example, add a sentence like, "For more information about activating the detection rules, refer to .

cc @peteharverson, @lcawl, @brokensound77

[lcawl]

The goal is to ultimately have a page in the docs that walks through the installation and use of this integration's assets, but since that's not available to link to yet, I agree with your suggestion for a couple of lines in the Configuration section of the readme as a stop-gap.

[alvarezmelissa87]

Added in 11eb4a152ddadf13c75d6e469e97f01d6db9dd06
cc @lcawl, @peteharverson

[alvarezmelissa87]

@lcawl, @peteharverson, @Winterflower
The latest screenshots and README file have been updated with more detailed instructions on how to use the package - as discussed - in c3692a17d515ebdd31e95e03652f735d04db5748
Would appreciate confirmation that it's what we want when you get a chance! 🙏

[peteharverson]

Latest changes LGTM

[mtojek]

@alvarezmelissa87 What about this "id"? CI mentioned that field.

[alvarezmelissa87]

Ah, thanks - missed this the first time! Updated in 38fd11b

[spong]

Just commenting to update that we've come to consensus on how we'll handle the aforementioned issue around rule_id uniqueness between packages, and that there is no reason to hold up the merging or publishing of this package from the Security Solution side. Please see this comment elastic/kibana#128202 (comment) for all the details, and thank you all for all your input here! 🙂

[mtojek]

/test