forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
command_and_control_ml_packetbeat_rare_urls.toml
59 lines (52 loc) · 2.46 KB
/
command_and_control_ml_packetbeat_rare_urls.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
[metadata]
creation_date = "2020/03/25"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/08/24"
[rule]
anomaly_threshold = 50
author = ["Elastic"]
description = """
A machine learning job detected a rare and unusual URL that indicates unusual web browsing activity. This can be due to
initial access, persistence, command-and-control, or exfiltration activity. For example, in a strategic web compromise
or watering hole attack, when a trusted website is compromised to target a particular sector or organization, targeted
users may receive emails with uncommon URLs for trusted websites. These URLs can be used to download and run a payload.
When malware is already running, it may send requests to uncommon URLs on trusted websites the malware uses for
command-and-control communication. When rare URLs are observed being requested for a local web server by a remote
source, these can be due to web scanning, enumeration or attack traffic, or they can be due to bots and web scrapers
which are part of common Internet background traffic.
"""
false_positives = [
"""
Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical
support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger
this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this
when they are used sparsely. Web domains can be excluded in cases such as these.
""",
]
from = "now-45m"
interval = "15m"
license = "Elastic License v2"
machine_learning_job_id = "packetbeat_rare_urls"
name = "Unusual Web Request"
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "91f02f01-969f-4167-8f55-07827ac3acc9"
severity = "low"
tags = ["Elastic", "Network", "Threat Detection", "ML", "Command and Control"]
type = "machine_learning"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"
[[rule.threat.technique.subtechnique]]
id = "T1071.001"
name = "Web Protocols"
reference = "https://attack.mitre.org/techniques/T1071/001/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"