Skip to content

Commit 5d05b07

Browse files
Michael Hirschelasticmachine
authored and
blaklaybul
committed
[ML] Adds Metadata and Discovery Analysis Jobs to Security Integration (#76023)
* adds enhanced winlogbeat module * adds enhanced auditbeat module * splits discovery jobs * fixes winlogbeat manifest * adds process group * adds custom urls * adds by field as influencer * use process.title as influencer * updates custom url Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
1 parent 87554c9 commit 5d05b07

26 files changed

Lines changed: 938 additions & 1 deletion

x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/manifest.json

Lines changed: 90 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,46 @@
4040
{
4141
"id": "linux_anomalous_user_name_ecs",
4242
"file": "linux_anomalous_user_name_ecs.json"
43+
},
44+
{
45+
"id": "linux_rare_metadata_process",
46+
"file": "linux_rare_metadata_process.json"
47+
},
48+
{
49+
"id": "linux_rare_metadata_user",
50+
"file": "linux_rare_metadata_user.json"
51+
},
52+
{
53+
"id": "linux_rare_user_compiler",
54+
"file": "linux_rare_user_compiler.json"
55+
},
56+
{
57+
"id": "linux_rare_kernel_module_arguments",
58+
"file": "linux_rare_kernel_module_arguments.json"
59+
},
60+
{
61+
"id": "linux_rare_sudo_user",
62+
"file": "linux_rare_sudo_user.json"
63+
},
64+
{
65+
"id": "linux_system_user_discovery",
66+
"file": "linux_system_user_discovery.json"
67+
},
68+
{
69+
"id": "linux_system_information_discovery",
70+
"file": "linux_system_information_discovery.json"
71+
},
72+
{
73+
"id": "linux_system_process_discovery",
74+
"file": "linux_system_process_discovery.json"
75+
},
76+
{
77+
"id": "linux_network_connection_discovery",
78+
"file": "linux_network_connection_discovery.json"
79+
},
80+
{
81+
"id": "linux_network_configuration_discovery",
82+
"file": "linux_network_configuration_discovery.json"
4383
}
4484
],
4585
"datafeeds": [
@@ -77,6 +117,56 @@
77117
"id": "datafeed-linux_anomalous_user_name_ecs",
78118
"file": "datafeed_linux_anomalous_user_name_ecs.json",
79119
"job_id": "linux_anomalous_user_name_ecs"
120+
},
121+
{
122+
"id": "datafeed-linux_rare_metadata_process",
123+
"file": "datafeed_linux_rare_metadata_process.json",
124+
"job_id": "linux_rare_metadata_process"
125+
},
126+
{
127+
"id": "datafeed-linux_rare_metadata_user",
128+
"file": "datafeed_linux_rare_metadata_user.json",
129+
"job_id": "linux_rare_metadata_user"
130+
},
131+
{
132+
"id": "datafeed-linux_rare_user_compiler",
133+
"file": "datafeed_linux_rare_user_compiler.json",
134+
"job_id": "linux_rare_user_compiler"
135+
},
136+
{
137+
"id": "datafeed-linux_rare_kernel_module_arguments",
138+
"file": "datafeed_linux_rare_kernel_module_arguments.json",
139+
"job_id": "linux_rare_kernel_module_arguments"
140+
},
141+
{
142+
"id": "datafeed-linux_rare_sudo_user",
143+
"file": "datafeed_linux_rare_sudo_user.json",
144+
"job_id": "linux_rare_sudo_user"
145+
},
146+
{
147+
"id": "datafeed-linux_system_information_discovery",
148+
"file": "datafeed_linux_system_information_discovery.json",
149+
"job_id": "linux_system_information_discovery"
150+
},
151+
{
152+
"id": "datafeed-linux_system_process_discovery",
153+
"file": "datafeed_linux_system_process_discovery.json",
154+
"job_id": "linux_system_process_discovery"
155+
},
156+
{
157+
"id": "datafeed-linux_system_user_discovery",
158+
"file": "datafeed_linux_system_user_discovery.json",
159+
"job_id": "linux_system_user_discovery"
160+
},
161+
{
162+
"id": "datafeed-linux_network_configuration_discovery",
163+
"file": "datafeed_linux_network_configuration_discovery.json",
164+
"job_id": "linux_network_configuration_discovery"
165+
},
166+
{
167+
"id": "datafeed-linux_network_connection_discovery",
168+
"file": "datafeed_linux_network_connection_discovery.json",
169+
"job_id": "linux_network_connection_discovery"
80170
}
81171
]
82172
}

x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_network_configuration_discovery.json

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
{
2+
"job_id": "JOB_ID",
3+
"indices": [
4+
"INDEX_PATTERN_NAME"
5+
],
6+
"max_empty_searches": 10,
7+
"query": {
8+
"bool": {
9+
"must": [
10+
{
11+
"bool": {
12+
"should": [
13+
{"term": {"process.name": "arp"}},
14+
{"term": {"process.name": "echo"}},
15+
{"term": {"process.name": "ethtool"}},
16+
{"term": {"process.name": "ifconfig"}},
17+
{"term": {"process.name": "ip"}},
18+
{"term": {"process.name": "iptables"}},
19+
{"term": {"process.name": "ufw"}}
20+
]
21+
}
22+
}
23+
]
24+
}
25+
}
26+
}

x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_network_connection_discovery.json

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
{
2+
"job_id": "JOB_ID",
3+
"indices": [
4+
"INDEX_PATTERN_NAME"
5+
],
6+
"max_empty_searches": 10,
7+
"query": {
8+
"bool": {
9+
"must": [
10+
{
11+
"bool": {
12+
"should": [
13+
{"term": {"process.name": "netstat"}},
14+
{"term": {"process.name": "ss"}},
15+
{"term": {"process.name": "route"}},
16+
{"term": {"process.name": "showmount"}}
17+
]
18+
}
19+
}
20+
]
21+
}
22+
}
23+
}

x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_rare_kernel_module_arguments.json

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
{
2+
"job_id": "JOB_ID",
3+
"indices": [
4+
"INDEX_PATTERN_NAME"
5+
],
6+
"max_empty_searches": 10,
7+
"query": {
8+
"bool": {
9+
"filter": [{"exists": {"field": "process.title"}}],
10+
"must": [
11+
{"bool": {
12+
"should": [
13+
{"term": {"process.name": "insmod"}},
14+
{"term": {"process.name": "kmod"}},
15+
{"term": {"process.name": "modprobe"}},
16+
{"term": {"process.name": "rmod"}}
17+
]
18+
}}
19+
]
20+
}
21+
}
22+
}

x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_rare_metadata_process.json

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
{
2+
"job_id": "JOB_ID",
3+
"indices": [
4+
"INDEX_PATTERN_NAME"
5+
],
6+
"max_empty_searches": 10,
7+
"query": {
8+
"bool": {
9+
"filter": [{"term": {"destination.ip": "169.254.169.254"}}]
10+
}
11+
}
12+
}

x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_rare_metadata_user.json

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
{
2+
"job_id": "JOB_ID",
3+
"indices": [
4+
"INDEX_PATTERN_NAME"
5+
],
6+
"max_empty_searches": 10,
7+
"query": {
8+
"bool": {
9+
"filter": [{"term": {"destination.ip": "169.254.169.254"}}]
10+
}
11+
}
12+
}

x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_rare_sudo_user.json

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
{
2+
"job_id": "JOB_ID",
3+
"indices": [
4+
"INDEX_PATTERN_NAME"
5+
],
6+
"max_empty_searches": 10,
7+
"query": {
8+
"bool": {
9+
"filter": [
10+
{"term": {"event.action": "executed"}},
11+
{"term": {"process.name": "sudo"}}
12+
]
13+
}
14+
}
15+
}

x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_rare_user_compiler.json

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
{
2+
"job_id": "JOB_ID",
3+
"indices": [
4+
"INDEX_PATTERN_NAME"
5+
],
6+
"max_empty_searches": 10,
7+
"query": {
8+
"bool": {
9+
"filter": [{"term": {"event.action": "executed"}}],
10+
"must": [
11+
{"bool": {
12+
"should": [
13+
{"term": {"process.name": "compile"}},
14+
{"term": {"process.name": "gcc"}},
15+
{"term": {"process.name": "make"}},
16+
{"term": {"process.name": "yasm"}}
17+
]
18+
}}
19+
]
20+
}
21+
}
22+
}

x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_system_information_discovery.json

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
{
2+
"job_id": "JOB_ID",
3+
"indices": [
4+
"INDEX_PATTERN_NAME"
5+
],
6+
"max_empty_searches": 10,
7+
"query": {
8+
"bool": {
9+
"must": [
10+
{
11+
"bool": {
12+
"should": [
13+
{"term": {"process.name": "cat"}},
14+
{"term": {"process.name": "grep"}},
15+
{"term": {"process.name": "head"}},
16+
{"term": {"process.name": "hostname"}},
17+
{"term": {"process.name": "less"}},
18+
{"term": {"process.name": "ls"}},
19+
{"term": {"process.name": "lsmod"}},
20+
{"term": {"process.name": "more"}},
21+
{"term": {"process.name": "strings"}},
22+
{"term": {"process.name": "tail"}},
23+
{"term": {"process.name": "uptime"}},
24+
{"term": {"process.name": "uname"}}
25+
]
26+
}
27+
}
28+
]
29+
}
30+
}
31+
}

x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_system_process_discovery.json

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
{
2+
"job_id": "JOB_ID",
3+
"indices": [
4+
"INDEX_PATTERN_NAME"
5+
],
6+
"max_empty_searches": 10,
7+
"query": {
8+
"bool": {
9+
"must": [
10+
{
11+
"bool": {
12+
"should": [
13+
{"term": {"process.name": "ps"}},
14+
{"term": {"process.name": "top"}}
15+
]
16+
}
17+
}
18+
]
19+
}
20+
}
21+
}

0 commit comments

Comments
 (0)