Skip to content

Releases: elastic/detection-rules

ML-UserRiskScore-20220628-1

28 Jun 12:55
@randomuserid randomuserid
ML-UserRiskScore-20220628-1
cc01d3f
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
ML-UserRiskScore-20220628-1 Pre-release
Pre-release

For details, reference: https://github.com/elastic/detection-rules/tree/main/docs/experimental-machine-learning

Tested and compatible with Elastic Stack version 8.3.

Changelog

  • This is the first version of the user risk score app which calculates a normalized risk score for user names using the risk scores in the available alerts
Loading

ML-HostRiskScore-20220404-5

04 Apr 15:05
@ajosh0504 ajosh0504
ML-HostRiskScore-20220404-5
6bdfdda
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
ML-HostRiskScore-20220404-5 Pre-release
Pre-release

Note on installation

As of Elastic Stack version 8.3, we no longer recommend installing User Risk Score using this release bundle. Please follow the official documentation for steps to install User Risk Score based on your Stack version.

For details, reference: https://github.com/elastic/detection-rules/tree/main/docs/experimental-machine-learning

Tested and compatible with Elastic Stack version 8.1.

Changelog

  • Adding multipliers to boost the host risk score based on certain properties
  • Adding some explainability about the host risk score
Loading

ML-Beaconing-20211216-1

04 Mar 18:59
@ajosh0504 ajosh0504
ML-Beaconing-20211216-1
6653acb
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
ML-Beaconing-20211216-1 Pre-release
Pre-release

For details, reference: https://github.com/elastic/detection-rules/tree/main/docs/experimental-machine-learning

Tested and compatible with Elastic Stack version 7.16.

Changelog

This is the first release for our experimental Network Beaconing framework. It consists of the following:

  • Scripts, ingest pipelines and transforms to monitor network event data and flag beaconing-like activity
  • dashboards.ndjson contains all the assets required for three dashboards- "Network Beaconing", which is the main dashboard to monitor beaconing activity, "Beaconing Drilldown" to drilldown into relevant event logs and some statistics related to the beaconing activity, and finally, "Hosts Affected Over Time By Process Name" to monitor the reach of beaconing processes across hosts in your environment, in the past two weeks.
Loading

ML-HostRiskScore-20220215-4

15 Feb 17:16
@ajosh0504 ajosh0504
ML-HostRiskScore-20220215-4
9bbe26f
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
ML-HostRiskScore-20220215-4 Pre-release
Pre-release

For details, reference: https://github.com/elastic/detection-rules/tree/main/docs/experimental-machine-learning

Tested and compatible with Elastic Stack version 8.0.

Changelog

  • Updating the alerts alias to reflect changes made in 8.0
Loading

ML-experimental-detections-20211130-7

30 Nov 18:47
@ajosh0504 ajosh0504
ML-experimental-detections-20211130-7
c619844
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
ML-experimental-detections-20211130-7 Pre-release
Pre-release

changelog

detections added

Beaconing

  • ML jobs:
    • beaconing_rare_process

Registry of experimental detections

Experimental detections

expand to view
  • rules and dashboards can be imported via Kibana
  • jobs and datafeeds can be imported using the CLI or Kibana devtools

Refer to the experimental-maching-learning docs for more details

detection ID type relative path
beaconing_rare_process anomaly_detection beaconing/anomaly_detection/beaconing_rare_process.json
beaconing_rare_process datafeed beaconing/datafeed/beaconing_rare_process.json
47b1a804-4f65-40b0-a7ef-fdac3c00b00c rule url_spoof/rule/url_spoof_ml_predicted_malicious_url.ndjson
problem_child_high_sum_by_parent anomaly_detection problem_child/anomaly_detection/problem_child_high_sum_by_parent.json
problem_child_high_sum_by_user anomaly_detection problem_child/anomaly_detection/problem_child_high_sum_by_user.json
problem_child_rare_process_by_parent anomaly_detection problem_child/anomaly_detection/problem_child_rare_process_by_parent.json
problem_child_rare_process_by_user anomaly_detection problem_child/anomaly_detection/problem_child_rare_process_by_user.json
problem_child_high_sum_by_host anomaly_detection problem_child/anomaly_detection/problem_child_high_sum_by_host.json
problem_child_rare_process_by_host anomaly_detection problem_child/anomaly_detection/problem_child_rare_process_by_host.json
problem_child_high_sum_by_parent datafeed problem_child/datafeed/problem_child_high_sum_by_parent.json
problem_child_high_sum_by_user datafeed problem_child/datafeed/problem_child_high_sum_by_user.json
problem_child_rare_process_by_parent datafeed problem_child/datafeed/problem_child_rare_process_by_parent.json
problem_child_rare_process_by_user datafeed problem_child/datafeed/problem_child_rare_process_by_user.json
problem_child_high_sum_by_host datafeed problem_child/datafeed/problem_child_high_sum_by_host.json
problem_child_rare_process_by_host datafeed problem_child/datafeed/problem_child_rare_process_by_host.json
9a2e372a-cbeb-4ad6-a288-017ef086324c rule problem_child/rule/problem_child_ml_high_probability_suspicious_windows_event.ndjson
a5cb4cd7-ba05-47e8-a815-f95c21719ded rule problem_child/rule/problem_child_ml_rare_suspicious_process_by_user.ndjson
9b98d945-2cce-45e5-aa84-4b021af0e153 rule problem_child/rule/problem_child_ml_suspicious_process_cluster_by_parent.ndjson
ff590871-371b-468f-8cd8-2876b54c53bd rule problem_child/rule/problem_child_ml_suspicious_process_cluster_by_user.ndjson
ae7c2f69-0c51-4b02-ad54-d3d75023da8b rule problem_child/rule/problem_child_ml_rare_suspicious_process_by_parent.ndjson
34184d4e-ef61-477b-8d76-5c93448c29bf rule problem_child/rule/problem_child_ml_predicted_suspicious_windows_event.ndjson
415d6863-7676-401f-aa8d-62f59a28e849 rule problem_child/rule/problem_child_ml_rare_suspicious_process_by_host.ndjson
86d57ec4-ace5-4456-8145-02e6f0cdd71a rule problem_child/rule/problem_child_ml_suspicious_process_cluster_by_host.ndjson
dga_high_sum_probability anomaly_detection dga/anomaly_detection/dga_high_sum_probability.json
dga_high_sum_probability datafeed dga/datafeed/dga_high_sum_probability.json
997ec71d-bddc-4513-b6f1-193f601fd420 rule dga/rule/dga_command_and_control_high_sum_scores.ndjson
170b35d4-d944-4264-a8ca-3118ae2e1534 rule dga/rule/dga_command_and_control_ml_sunburst_domain.ndjson
64116bb2-0f2c-4cf6-9df4-9973452b4d4b rule dga/rule/dga_command_and_control_ml_predicted_domain.ndjson
a020dadb-3da2-4252-91e9-b0fc148823e2 rule dga/rule/dga_command_and_control_ml_probable_domain.ndjson
None dashboard dga/dashboard/dga_dashboard.ndjson
Loading

ML-HostRiskScore-20211007-3

08 Oct 03:35
@ajosh0504 ajosh0504
ML-HostRiskScore-20211007-3
cdbd5a6
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
ML-HostRiskScore-20211007-3 Pre-release
Pre-release

For details, reference: https://github.com/elastic/detection-rules/tree/main/docs/experimental-machine-learning

Tested and compatible with Elastic Stack version 7.16.

Changelog

  • Updating all the necessary artifacts to account for space awareness, mainly the transforms and dashboard blob.
Loading

ML-HostRiskScore-20210826-2

26 Aug 15:29
@ajosh0504 ajosh0504
ML-HostRiskScore-20210826-2
675e870
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
ML-HostRiskScore-20210826-2 Pre-release
Pre-release

For details, reference: https://github.com/elastic/detection-rules/tree/main/docs/experimental-machine-learning

Tested and compatible with Elastic Stack version 7.15.

Changelog

  • ml_hostriskscore_pivot_transform now incorporates time decay i.e. older alerts have lesser impact on the risk than more recent alerts
  • Two new scripts, namely ml_hostriskscore_map_script and ml_hostriskscore_reduce_script to support changes in ml_hostriskscore_pivot_transform
  • Changes to the ml_hostriskscore_levels_script and ml_hostriskscore_ingest_pipeline to account for changes to the ml_hostriskscore_pivot_transform
  • Dashboards updated to 7.13.4: Running 2 versions behind the latest (7.15.0) to give users time to upgrade
Loading

ML-experimental-detections-20210805-6

05 Aug 19:05
@brokensound77 brokensound77
ML-experimental-detections-20210805-6
17bf3c1
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
ML-experimental-detections-20210805-6 Pre-release
Pre-release

changelog

detections added

URL Spoofing

  • Experimental Rules
    • 47b1a804-4f65-40b0-a7ef-fdac3c00b00c: Added new rule for url_spoofing.prediction: phishing (model prediction) or abuseurl_label: 1 (threat intelligence enrichment)

Registry of experimental detections

Experimental detections

expand to view
  • rules and dashboards can be imported via Kibana
  • jobs and datafeeds can be imported using the CLI or Kibana devtools

Refer to the experimental-maching-learning docs for more details

detection ID type relative path
47b1a804-4f65-40b0-a7ef-fdac3c00b00c rule url_spoof/rule/url_spoof_ml_predicted_malicious_url.ndjson
problem_child_high_sum_by_parent anomaly_detection problem_child/anomaly_detection/problem_child_high_sum_by_parent.json
problem_child_high_sum_by_user anomaly_detection problem_child/anomaly_detection/problem_child_high_sum_by_user.json
problem_child_rare_process_by_parent anomaly_detection problem_child/anomaly_detection/problem_child_rare_process_by_parent.json
problem_child_rare_process_by_user anomaly_detection problem_child/anomaly_detection/problem_child_rare_process_by_user.json
problem_child_high_sum_by_host anomaly_detection problem_child/anomaly_detection/problem_child_high_sum_by_host.json
problem_child_rare_process_by_host anomaly_detection problem_child/anomaly_detection/problem_child_rare_process_by_host.json
problem_child_high_sum_by_parent datafeed problem_child/datafeed/problem_child_high_sum_by_parent.json
problem_child_high_sum_by_user datafeed problem_child/datafeed/problem_child_high_sum_by_user.json
problem_child_rare_process_by_parent datafeed problem_child/datafeed/problem_child_rare_process_by_parent.json
problem_child_rare_process_by_user datafeed problem_child/datafeed/problem_child_rare_process_by_user.json
problem_child_high_sum_by_host datafeed problem_child/datafeed/problem_child_high_sum_by_host.json
problem_child_rare_process_by_host datafeed problem_child/datafeed/problem_child_rare_process_by_host.json
9a2e372a-cbeb-4ad6-a288-017ef086324c rule problem_child/rule/problem_child_ml_high_probability_suspicious_windows_event.ndjson
a5cb4cd7-ba05-47e8-a815-f95c21719ded rule problem_child/rule/problem_child_ml_rare_suspicious_process_by_user.ndjson
9b98d945-2cce-45e5-aa84-4b021af0e153 rule problem_child/rule/problem_child_ml_suspicious_process_cluster_by_parent.ndjson
ff590871-371b-468f-8cd8-2876b54c53bd rule problem_child/rule/problem_child_ml_suspicious_process_cluster_by_user.ndjson
ae7c2f69-0c51-4b02-ad54-d3d75023da8b rule problem_child/rule/problem_child_ml_rare_suspicious_process_by_parent.ndjson
34184d4e-ef61-477b-8d76-5c93448c29bf rule problem_child/rule/problem_child_ml_predicted_suspicious_windows_event.ndjson
415d6863-7676-401f-aa8d-62f59a28e849 rule problem_child/rule/problem_child_ml_rare_suspicious_process_by_host.ndjson
86d57ec4-ace5-4456-8145-02e6f0cdd71a rule problem_child/rule/problem_child_ml_suspicious_process_cluster_by_host.ndjson
dga_high_sum_probability anomaly_detection dga/anomaly_detection/dga_high_sum_probability.json
dga_high_sum_probability datafeed dga/datafeed/dga_high_sum_probability.json
997ec71d-bddc-4513-b6f1-193f601fd420 rule dga/rule/dga_command_and_control_high_sum_scores.ndjson
170b35d4-d944-4264-a8ca-3118ae2e1534 rule dga/rule/dga_command_and_control_ml_sunburst_domain.ndjson
64116bb2-0f2c-4cf6-9df4-9973452b4d4b rule dga/rule/dga_command_and_control_ml_predicted_domain.ndjson
a020dadb-3da2-4252-91e9-b0fc148823e2 rule dga/rule/dga_command_and_control_ml_probable_domain.ndjson
None dashboard dga/dashboard/dga_dashboard.ndjson
Loading

ML-URLSpoof-20210805-1

05 Aug 19:04
@brokensound77 brokensound77
ML-URLSpoof-20210805-1
17bf3c1
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
ML-URLSpoof-20210805-1 Pre-release
Pre-release

model name: urlspoof_20210803_1.0
sha256: 4cbd8d82d382864d28147c5f80ac86108e774319bbe5d2c4c9f3c68d9f86e01e
for details, reference: https://github.com/elastic/detection-rules/tree/main/docs/experimental-machine-learning

changelog

This is the first release package for URL Spoofing. It consists of the following:

  • Feature Extraction Scripts:

    • ml_urlspoof_char_continuity_script.json: Calculate the continuity of different parts of a the domain (i.e. number of consecutive characters before seeing a number)
    • ml_urlspoof_domain_entropy_script.json: Calculate the entropy of the URL domain
    • ml_urlspoof_keyword_extractor_script.json: Extract keywords of interest from certain features
    • ml_urlspoof_ngrams_extractor_script.json: Extract ngrams from certain features
    • ml_urlspoof_remove_features_script.json: Remove extra fields created for prediction purposes to avoid cluttering incoming documents - this will NOT remove any of your original fields in your documents
    • ml_urlspoof_tld_keyword_extractor_script.json: Extract top level domain related keywords of interest from certain features

  • Model:

    • ml_urlspoof_model.json: Supervised model to classify URLs as malicious vs benign

  • Inference Pipeline:

    • ml_urlspoof_inference_pipeline.json: Inference pipeline to make predictions on URLs using the URL Spoofing model and threat intelligence enrichments

  • Training Pipeline:

    • ml_urlspoof_features_pipeline.json: Training pipeline used to train the URL Spoofing model - this is primarily for analysts looking for a starting point to train their own model
Loading

ML-HostRiskScore-20210803-1

03 Aug 17:20
@ajosh0504 ajosh0504
ML-HostRiskScore-20210803-1
06a9ba6
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
ML-HostRiskScore-20210803-1 Pre-release
Pre-release

For details, reference: https://github.com/elastic/detection-rules/tree/main/docs/experimental-machine-learning/

Tested and compatible with Elastic Stack version 7.14.

Changelog

This is the first release package for Host Risk Score. It consists of the following:

  • Scripts, ingest pipelines and transforms used to calculate and update risk score across all hosts in your environment
  • dashboards.ndjson contains all the assets required for two dashboards- "Current Risk Score for Hosts", which shows the Top 20 currently risky hosts in your environment and "Drilldown of Host Risk Score" which allows users to drill down further into the details of the risk components associated with a particular host.
Loading