forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
persistence_ml_linux_anomalous_process_all_hosts.toml
58 lines (51 loc) · 2.45 KB
/
persistence_ml_linux_anomalous_process_all_hosts.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
[metadata]
creation_date = "2020/03/25"
maturity = "production"
updated_date = "2022/08/24"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
[rule]
anomaly_threshold = 50
author = ["Elastic"]
description = """
Searches for rare processes running on multiple Linux hosts in an entire fleet or network. This reduces the detection of
false positives since automated maintenance processes usually only run occasionally on a single machine but are common
to all or many hosts in a fleet.
"""
false_positives = [
"""
A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this
alert.
""",
]
from = "now-45m"
interval = "15m"
license = "Elastic License v2"
machine_learning_job_id = ["v3_linux_anomalous_process_all_hosts"]
name = "Anomalous Process For a Linux Population"
note = """## Triage and analysis
### Investigating an Unusual Linux Process
Detection alerts from this rule indicate the presence of a Linux process that is rare and unusual for all of the monitored Linux hosts for which Auditbeat data is available. Here are some possible avenues of investigation:
- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?
- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.
- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing."""
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "647fc812-7996-4795-8869-9c4ea595fe88"
severity = "low"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML", "Persistence"]
type = "machine_learning"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
reference = "https://attack.mitre.org/techniques/T1543/"
[[rule.threat.technique.subtechnique]]
id = "T1543.003"
name = "Windows Service"
reference = "https://attack.mitre.org/techniques/T1543/003/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"