format files

Author: alvarezmelissa87

packages/ml_problem_child/elasticsearch/ml_model/problemchild_20210526_1.0.json

@@ -1,24 +1,31 @@
 {
- "attributes": {
- "author": [
- "Elastic"
- ],
- "description": "A supervised machine learning model (ProblemChild) or its blocklist has identified\na suspicious Windows process event to be malicious activity.\n",
- "from": "now-9m",
- "index": ["endgame-*", "logs-endpoint.events.process.*", "winlogbeat-*"],
- "language": "kuery",
- "license": "Elastic License",
- "max_signals": 10000,
- "name": "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity",
- "query": "problemchild.prediction:1 or blocklist_label:1",
- "risk_score": 21,
- "rule_id": "34184d4e-ef61-477b-8d76-5c93448c29bf",
- "severity": "low",
- "tags": ["Elastic", "ML-ProblemChild"],
- "timestamp_override": "event.ingested",
- "type": "query",
- "version": 2
- },
- "id": "34184d4e-ef61-477b-8d76-5c93448c29bf",
- "type": "security-rule"
-}
+ "attributes": {
+ "author": [
+ "Elastic"
+ ],
+ "description": "A supervised machine learning model (ProblemChild) or its blocklist has identified\na suspicious Windows process event to be malicious activity.\n",
+ "from": "now-9m",
+ "index": [
+ "endgame-*",
+ "logs-endpoint.events.process.*",
+ "winlogbeat-*"
+ ],
+ "language": "kuery",
+ "license": "Elastic License",
+ "max_signals": 10000,
+ "name": "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity",
+ "query": "problemchild.prediction:1 or blocklist_label:1",
+ "risk_score": 21,
+ "rule_id": "34184d4e-ef61-477b-8d76-5c93448c29bf",
+ "severity": "low",
+ "tags": [
+ "Elastic",
+ "ML-ProblemChild"
+ ],
+ "timestamp_override": "event.ingested",
+ "type": "query",
+ "version": 2
+ },
+ "id": "34184d4e-ef61-477b-8d76-5c93448c29bf",
+ "type": "security-rule"
+}

packages/ml_problem_child/kibana/ml_module/problem-child-ml.json

@@ -1,25 +1,31 @@
 {
- "attributes": {
- "anomaly_threshold": 75,
- "author": [
- "Elastic"
- ],
- "description": "A machine learning job has detected a suspicious Windows process. This\nprocess has been classified as malicious in two ways. It was predicted to be malicious\nby the ProblemChild supervised ML model, and it was found to be an unusual process,\non a host that does not commonly manifest malicious activity. Such a process may be an\ninstance of suspicious or malicious activity, possibly involving LOLbins, that may be\nresistant to detection using conventional search rules.\n",
- "from": "now-45m",
- "interval": "15m",
- "license": "Elastic License",
- "machine_learning_job_id": "problem_child_rare_process_by_host",
- "name": "Unusual Process Spawned By a Host",
- "references": [
- "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
- ],
- "risk_score": 21,
- "rule_id": "415d6863-7676-401f-aa8d-62f59a28e849",
- "severity": "low",
- "tags": ["Elastic", "Windows", "Process", "Threat Detection", "ML"],
- "type": "machine_learning",
- "version": 1
- },
- "id": "415d6863-7676-401f-aa8d-62f59a28e849",
- "type": "security-rule"
-}
+ "attributes": {
+ "anomaly_threshold": 75,
+ "author": [
+ "Elastic"
+ ],
+ "description": "A machine learning job has detected a suspicious Windows process. This\nprocess has been classified as malicious in two ways. It was predicted to be malicious\nby the ProblemChild supervised ML model, and it was found to be an unusual process,\non a host that does not commonly manifest malicious activity. Such a process may be an\ninstance of suspicious or malicious activity, possibly involving LOLbins, that may be\nresistant to detection using conventional search rules.\n",
+ "from": "now-45m",
+ "interval": "15m",
+ "license": "Elastic License",
+ "machine_learning_job_id": "problem_child_rare_process_by_host",
+ "name": "Unusual Process Spawned By a Host",
+ "references": [
+ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+ ],
+ "risk_score": 21,
+ "rule_id": "415d6863-7676-401f-aa8d-62f59a28e849",
+ "severity": "low",
+ "tags": [
+ "Elastic",
+ "Windows",
+ "Process",
+ "Threat Detection",
+ "ML"
+ ],
+ "type": "machine_learning",
+ "version": 1
+ },
+ "id": "415d6863-7676-401f-aa8d-62f59a28e849",
+ "type": "security-rule"
+}

packages/ml_problem_child/kibana/security_rule/34184d4e-ef61-477b-8d76-5c93448c29bf.json

@@ -16,10 +16,16 @@
  "risk_score": 21,
  "rule_id": "86d57ec4-ace5-4456-8145-02e6f0cdd71a",
  "severity": "low",
- "tags": ["Elastic", "Windows", "Process", "Threat Detection", "ML"],
+ "tags": [
+ "Elastic",
+ "Windows",
+ "Process",
+ "Threat Detection",
+ "ML"
+ ],
  "type": "machine_learning",
  "version": 1
  },
  "id": "86d57ec4-ace5-4456-8145-02e6f0cdd71a",
  "type": "security-rule"
-}
+}

packages/ml_problem_child/kibana/security_rule/415d6863-7676-401f-aa8d-62f59a28e849.json

@@ -1,24 +1,31 @@
 {
- "attributes": {
- "author": [
- "Elastic"
- ],
- "description": "A supervised machine learning model (ProblemChild) has identified a suspicious Windows\nprocess event with high probability of it being malicious activity.\nAlternatively, the model's blocklist identified the event as being malicious.\n",
- "from": "now-9m",
- "index": ["endgame-*", "logs-endpoint.events.process.*", "winlogbeat-*"],
- "language": "kuery",
- "license": "Elastic License",
- "max_signals": 10000,
- "name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score",
- "query": "(problemchild.prediction:1 and problemchild.prediction_probability > 0.98) or blocklist_label:1",
- "risk_score": 21,
- "rule_id": "9a2e372a-cbeb-4ad6-a288-017ef086324c",
- "severity": "low",
- "tags": ["Elastic", "ML-ProblemChild"],
- "timestamp_override": "event.ingested",
- "type": "query",
- "version": 2
- },
- "id": "9a2e372a-cbeb-4ad6-a288-017ef086324c",
- "type": "security-rule"
-}
+ "attributes": {
+ "author": [
+ "Elastic"
+ ],
+ "description": "A supervised machine learning model (ProblemChild) has identified a suspicious Windows\nprocess event with high probability of it being malicious activity.\nAlternatively, the model's blocklist identified the event as being malicious.\n",
+ "from": "now-9m",
+ "index": [
+ "endgame-*",
+ "logs-endpoint.events.process.*",
+ "winlogbeat-*"
+ ],
+ "language": "kuery",
+ "license": "Elastic License",
+ "max_signals": 10000,
+ "name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score",
+ "query": "(problemchild.prediction:1 and problemchild.prediction_probability \u003e 0.98) or blocklist_label:1",
+ "risk_score": 21,
+ "rule_id": "9a2e372a-cbeb-4ad6-a288-017ef086324c",
+ "severity": "low",
+ "tags": [
+ "Elastic",
+ "ML-ProblemChild"
+ ],
+ "timestamp_override": "event.ingested",
+ "type": "query",
+ "version": 2
+ },
+ "id": "9a2e372a-cbeb-4ad6-a288-017ef086324c",
+ "type": "security-rule"
+}

packages/ml_problem_child/kibana/security_rule/86d57ec4-ace5-4456-8145-02e6f0cdd71a.json

@@ -1,23 +1,31 @@
 {
- "attributes": {
- "anomaly_threshold": 75,
- "author": [
- "Elastic"
- ],
- "description": "A machine learning job combination has detected a set of one or more suspicious Windows\nprocesses with unusually high scores for malicious probability. These process(es) have\nbeen classified as malicious in several ways. The process(es) were predicted to be malicious\nby the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious\nprocesses, each process has the same parent process name, and the aggregate score of the\nevent cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster\noften contains suspicious or malicious activity, possibly involving LOLbins, that may be\nresistant to detection using conventional search rules.\n",
- "from": "now-45m",
- "interval": "15m",
- "license": "Elastic License",
- "machine_learning_job_id": "problem_child_high_sum_by_parent",
- "name": "Suspicious Windows Process Cluster Spawned by a Parent Process",
- "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"],
- "risk_score": 21,
- "rule_id": "9b98d945-2cce-45e5-aa84-4b021af0e153",
- "severity": "low",
- "tags": ["Elastic", "Windows", "Process", "Threat Detection", "ML"],
- "type": "machine_learning",
- "version": 1
- },
- "id": "9b98d945-2cce-45e5-aa84-4b021af0e153",
- "type": "security-rule"
-}
+ "attributes": {
+ "anomaly_threshold": 75,
+ "author": [
+ "Elastic"
+ ],
+ "description": "A machine learning job combination has detected a set of one or more suspicious Windows\nprocesses with unusually high scores for malicious probability. These process(es) have\nbeen classified as malicious in several ways. The process(es) were predicted to be malicious\nby the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious\nprocesses, each process has the same parent process name, and the aggregate score of the\nevent cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster\noften contains suspicious or malicious activity, possibly involving LOLbins, that may be\nresistant to detection using conventional search rules.\n",
+ "from": "now-45m",
+ "interval": "15m",
+ "license": "Elastic License",
+ "machine_learning_job_id": "problem_child_high_sum_by_parent",
+ "name": "Suspicious Windows Process Cluster Spawned by a Parent Process",
+ "references": [
+ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+ ],
+ "risk_score": 21,
+ "rule_id": "9b98d945-2cce-45e5-aa84-4b021af0e153",
+ "severity": "low",
+ "tags": [
+ "Elastic",
+ "Windows",
+ "Process",
+ "Threat Detection",
+ "ML"
+ ],
+ "type": "machine_learning",
+ "version": 1
+ },
+ "id": "9b98d945-2cce-45e5-aa84-4b021af0e153",
+ "type": "security-rule"
+}

packages/ml_problem_child/kibana/security_rule/9a2e372a-cbeb-4ad6-a288-017ef086324c.json

@@ -1,23 +1,31 @@
 {
- "attributes": {
- "anomaly_threshold": 75,
- "author": [
- "Elastic"
- ],
- "description": "A machine learning job has detected a suspicious Windows process. This process has\nbeen classified as malicious in two ways. It was predicted to be malicious by the\nProblemChild supervised ML model, and it was found to be suspicious given that its\nuser context is unusual and does not commonly manifest malicious activity,by an\nunsupervised ML model. Such a process may be an instance of suspicious or malicious\nactivity, possibly involving LOLbins, that may be resistant to detection using\nconventional search rules.\n",
- "from": "now-45m",
- "interval": "15m",
- "license": "Elastic License",
- "machine_learning_job_id": "problem_child_rare_process_by_user",
- "name": "Unusual Process Spawned By a User",
- "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"],
- "risk_score": 21,
- "rule_id": "a5cb4cd7-ba05-47e8-a815-f95c21719ded",
- "severity": "low",
- "tags": ["Elastic", "Windows", "Process", "Threat Detection", "ML"],
- "type": "machine_learning",
- "version": 1
- },
- "id": "a5cb4cd7-ba05-47e8-a815-f95c21719ded",
- "type": "security-rule"
-}
+ "attributes": {
+ "anomaly_threshold": 75,
+ "author": [
+ "Elastic"
+ ],
+ "description": "A machine learning job has detected a suspicious Windows process. This process has\nbeen classified as malicious in two ways. It was predicted to be malicious by the\nProblemChild supervised ML model, and it was found to be suspicious given that its\nuser context is unusual and does not commonly manifest malicious activity,by an\nunsupervised ML model. Such a process may be an instance of suspicious or malicious\nactivity, possibly involving LOLbins, that may be resistant to detection using\nconventional search rules.\n",
+ "from": "now-45m",
+ "interval": "15m",
+ "license": "Elastic License",
+ "machine_learning_job_id": "problem_child_rare_process_by_user",
+ "name": "Unusual Process Spawned By a User",
+ "references": [
+ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+ ],
+ "risk_score": 21,
+ "rule_id": "a5cb4cd7-ba05-47e8-a815-f95c21719ded",
+ "severity": "low",
+ "tags": [
+ "Elastic",
+ "Windows",
+ "Process",
+ "Threat Detection",
+ "ML"
+ ],
+ "type": "machine_learning",
+ "version": 1
+ },
+ "id": "a5cb4cd7-ba05-47e8-a815-f95c21719ded",
+ "type": "security-rule"
+}

packages/ml_problem_child/kibana/security_rule/9b98d945-2cce-45e5-aa84-4b021af0e153.json

@@ -1,23 +1,31 @@
 {
- "attributes": {
- "anomaly_threshold": 75,
- "author": [
- "Elastic"
- ],
- "description": "A machine learning job has detected a suspicious Windows process. This\nprocess has been classified as malicious in two ways. It was predicted to be malicious\nby the ProblemChild supervised ML model, and it was found to be an unusual child process name,\nfor the parent process, by an unsupervised ML model. Such a process may be an instance of\nsuspicious or malicious activity, possibly involving LOLbins, that may be resistant to\ndetection using conventional search rules.\n",
- "from": "now-45m",
- "interval": "15m",
- "license": "Elastic License",
- "machine_learning_job_id": "problem_child_rare_process_by_parent",
- "name": "Unusual Process Spawned By a Parent Process",
- "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"],
- "risk_score": 21,
- "rule_id": "ae7c2f69-0c51-4b02-ad54-d3d75023da8b",
- "severity": "low",
- "tags": ["Elastic", "Windows", "Process", "Threat Detection", "ML"],
- "type": "machine_learning",
- "version": 1
- },
- "id": "ae7c2f69-0c51-4b02-ad54-d3d75023da8b",
- "type": "security-rule"
-}
+ "attributes": {
+ "anomaly_threshold": 75,
+ "author": [
+ "Elastic"
+ ],
+ "description": "A machine learning job has detected a suspicious Windows process. This\nprocess has been classified as malicious in two ways. It was predicted to be malicious\nby the ProblemChild supervised ML model, and it was found to be an unusual child process name,\nfor the parent process, by an unsupervised ML model. Such a process may be an instance of\nsuspicious or malicious activity, possibly involving LOLbins, that may be resistant to\ndetection using conventional search rules.\n",
+ "from": "now-45m",
+ "interval": "15m",
+ "license": "Elastic License",
+ "machine_learning_job_id": "problem_child_rare_process_by_parent",
+ "name": "Unusual Process Spawned By a Parent Process",
+ "references": [
+ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+ ],
+ "risk_score": 21,
+ "rule_id": "ae7c2f69-0c51-4b02-ad54-d3d75023da8b",
+ "severity": "low",
+ "tags": [
+ "Elastic",
+ "Windows",
+ "Process",
+ "Threat Detection",
+ "ML"
+ ],
+ "type": "machine_learning",
+ "version": 1
+ },
+ "id": "ae7c2f69-0c51-4b02-ad54-d3d75023da8b",
+ "type": "security-rule"
+}