diff --git a/packages/privileged_access/changelog.yml b/packages/privileged_access/changelog.yml new file mode 100644 index 000000000000..bb7f12000277 --- /dev/null +++ b/packages/privileged_access/changelog.yml @@ -0,0 +1,6 @@ +# newer versions go on top +- version: "0.0.1" + changes: + - description: Initial release of the package + type: enhancement + link: https://github.com/elastic/integrations/pull/#### diff --git a/packages/privileged_access/docs/README.md b/packages/privileged_access/docs/README.md new file mode 100644 index 000000000000..a3663e965481 --- /dev/null +++ b/packages/privileged_access/docs/README.md @@ -0,0 +1,15 @@ +# Privileged Access Detection + + + +## Installation + +## Anomaly Detection Jobs + +| Job | Description | +|---------------------------------------------------|-------------------------------------------------------------------------------------------------| | + + +## Licensing + +Usage in production requires that you have a license key that permits use of machine learning features. \ No newline at end of file diff --git a/packages/privileged_access/elasticsearch/transform/pivot_transform/fields/fields.yml b/packages/privileged_access/elasticsearch/transform/pivot_transform/fields/fields.yml new file mode 100644 index 000000000000..f88e963f3893 --- /dev/null +++ b/packages/privileged_access/elasticsearch/transform/pivot_transform/fields/fields.yml @@ -0,0 +1,14 @@ +- name: host.name + type: keyword +- name: user.name + type: keyword +- name: privilege_type + type: keyword +- name: event.action + type: keyword +- name: event.code + type: keyword +- name: event.category + type: keyword +- name: '@timestamp' + type: date \ No newline at end of file diff --git a/packages/privileged_access/elasticsearch/transform/pivot_transform/transform.yml b/packages/privileged_access/elasticsearch/transform/pivot_transform/transform.yml new file mode 100644 index 000000000000..34d650ae6a76 --- /dev/null +++ b/packages/privileged_access/elasticsearch/transform/pivot_transform/transform.yml @@ -0,0 +1,60 @@ +source: + index: "logs-*" + query: + bool: + filter: + - range: + '@timestamp': + gte: now-1M + - exists: + field: winlog.event_data.PrivilegeList + - terms: + 'host.os.type': ["windows","Windows"] + - terms: + 'event.action': ["logged-in-special","privileged-service-called","privileged-operation"] + - terms: + 'winlog.event_data.PrivilegeList': ["SeDebugPrivilege","SeTakeOwnershipPrivilege","SeBackupPrivilege", "SeRestorePrivilege","SeImpersonatePrivilege","SeAssignPrimaryTokenPrivilege"] +dest: + index: ml_privilege_type_ped-0.0.1 + aliases: + - alias: ml_privilege_type_ped.latest + move_on_creation: true + - alias: ml_privilege_type_ped.all + move_on_creation: false +description: This transform runs hourly and collects special privileges assigned to an user in Windows events for Privilege Escalation Detection package. +frequency: 1h +pivot: + aggregations: + '@timestamp': + max: + field: '@timestamp' + group_by: + 'host.name': + terms: + field: host.name + 'user.name': + terms: + field: user.name + 'privilege_type': + terms: + field: winlog.event_data.PrivilegeList + 'event.action': + terms: + field: event.action + 'event.category': + terms: + field: event.category + 'event.code': + terms: + field: event.code +settings: + # This is required to prevent the transform from clobbering the Fleet-managed mappings. + deduce_mappings: false + unattended: true +sync: + time: + delay: 60s + field: '@timestamp' +_meta: + fleet_transform_version: 0.0.1 + run_as_kibana_system: false \ No newline at end of file diff --git a/packages/privileged_access/img/icon-machine-learning.svg b/packages/privileged_access/img/icon-machine-learning.svg new file mode 100644 index 000000000000..f72fa354d8ad --- /dev/null +++ b/packages/privileged_access/img/icon-machine-learning.svg @@ -0,0 +1,4 @@ + + + + diff --git a/packages/privileged_access/kibana/ml_module/ped-ml.json b/packages/privileged_access/kibana/ml_module/ped-ml.json new file mode 100644 index 000000000000..5780fcdc7a7e --- /dev/null +++ b/packages/privileged_access/kibana/ml_module/ped-ml.json @@ -0,0 +1,1847 @@ +{ + "attributes": { + "id": "ped-ml", + "title": "Privilege Escalation Detection", + "description": "", + "type": "ped", + "logo": { + "icon": "machineLearningApp" + }, + "query": { + "bool": { + "should": [ + { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "exists": { + "field": "winlog.event_id" + } + } + ] + } + }, + { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "linux", + "Linux" + ] + } + }, + { + "term": { + "event.category": "process" + } + } + ] + } + }, + { + "exists": { + "field": "privilege_type" + } + } + ], + "must_not": { + "terms": { + "_tier": [ + "data_frozen", + "data_cold" + ] + } + } + } + }, + "jobs": [ + { + "id": "ped_windows_high_count_special_logon_events", + "config": { + "groups": [ + "security", + "privilege_escalation" + ], + "description": "Detects unusually high special logon events initiated by an user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of special logon events", + "function": "high_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "user.name", + "winlog.event_data.SubjectUserName", + "winlog.event_data.PrivilegeList", + "winlog.event_data.TargetUserName", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "ped_windows_high_count_special_privilege_use_events", + "config": { + "groups": [ + "security", + "privilege_escalation" + ], + "description": "Detects unusually high special privilege use events initiated by an user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of special privilege use events", + "function": "high_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "user.name", + "winlog.event_data.SubjectUserName", + "winlog.event_data.PrivilegeList", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "ped_windows_high_count_group_management_events", + "config": { + "groups": [ + "security", + "privilege_escalation" + ], + "description": "Detects unusually high security group management events initiated by an user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of security group management events", + "function": "high_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "user.name", + "winlog.event_data.SubjectUserName", + "group.name", + "winlog.event_data.TargetUserName", + "winlog.event_data.MemberSid" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "ped_windows_high_count_user_account_management_events", + "config": { + "groups": [ + "security", + "privilege_escalation" + ], + "description": "Detects unusually high security user account management events initiated by an user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of security user account management events", + "function": "high_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "user.name", + "winlog.event_data.SubjectUserName", + "winlog.event_data.TargetUserName" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "ped_windows_rare_privilege_assigned_to_user", + "config": { + "groups": [ + "security", + "privilege_escalation" + ], + "description": "Detects an unusual privilege type assigned to an user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "Rare privilege type by user name", + "function": "rare", + "by_field_name": "privilege_type", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "user.name", + "privilege_type", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "ped_windows_rare_group_name_by_user", + "config": { + "groups": [ + "security", + "privilege_escalation" + ], + "description": "Detects an unusual group name accessed by an user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "Rare group name by user name", + "function": "rare", + "by_field_name": "group.name", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "user.name", + "group.name", + "winlog.event_data.TargetUserName", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "ped_windows_rare_device_by_user", + "config": { + "groups": [ + "security", + "privilege_escalation" + ], + "description": "Detects an unusual device accessed by an user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "Rare device name by user name", + "function": "rare", + "by_field_name": "host.name", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "user.name", + "group.name", + "winlog.event_data.PrivilegeList", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "ped_windows_rare_source_ip_by_user", + "config": { + "groups": [ + "security", + "privilege_escalation" + ], + "description": "Detects an unusual source IP address accessed by the user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "Rare source IP by user name", + "function": "rare", + "by_field_name": "source.ip", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "user.name", + "source.ip", + "winlog.event_data.PrivilegeList", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "ped_windows_rare_region_name_by_user", + "config": { + "groups": [ + "security", + "privilege_escalation" + ], + "description": "Detects an unusual region name for the user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "Rare region name by user", + "function": "rare", + "by_field_name": "source.geo.region_name", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "user.name", + "source.geo.city_name", + "source.geo.country_name", + "winlog.event_data.PrivilegeList", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "ped_windows_unusual_time_of_week_for_privileged_events", + "config": { + "groups": [ + "security", + "privilege_escalation" + ], + "description": "Detects an unusual time of week for privileged events.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "Unusual time of week for privileged actions", + "function": "time_of_week", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "user.name", + "winlog.event_data.PrivilegeList", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "ped_linux_high_count_privileged_events_by_user", + "config": { + "groups": [ + "security", + "privilege_escalation" + ], + "description": "Detects a spike in privileged events executed by an user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of privileged events by user name", + "function": "high_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "user.name", + "process.name", + "process.command_line", + "process.working_directory" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "ped_linux_rare_process_executed_by_user", + "config": { + "groups": [ + "security", + "privilege_escalation" + ], + "description": "Detects a rare process executed by an user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "Rare process by user name", + "function": "rare", + "by_field_name": "process.name", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "user.name", + "process.name", + "process.command_line", + "process.working_directory" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "ped_linux_high_info_content_command_line_by_user", + "config": { + "groups": [ + "security", + "privilege_escalation" + ], + "description": "Detects high information content in command lines that are executed by an user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High info content in command line by user name", + "function": "high_info_content", + "field_name": "process.command_line", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "user.name", + "process.name", + "process.command_line", + "process.working_directory" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + } + ], + "datafeeds": [ + { + "id": "datafeed-ped_high_count_special_logon_events", + "job_id": "ped_high_count_special_logon_events", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ped_high_count_special_logon_events", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "logged-in-special", + "logged-in-explicit" + ] + } + }, + { + "terms": { + "event.code": [ + "4672", + "4648" + ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-ped_high_count_special_privilege_use_events", + "job_id": "ped_high_count_special_privilege_use_events", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ped_high_count_special_privilege_use_events", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "privileged-operation", + "privileged-service-called" + ] + } + }, + { + "terms": { + "event.code": [ + "4673", + "4674" + ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-ped_high_count_group_management_events", + "job_id": "ped_high_count_group_management_events", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ped_high_count_group_management_events", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "added-member-to-group", + "removed-member-from-group" + ] + } + }, + { + "terms": { + "event.code": [ + "4732", + "4728", + "4756", + "4733", + "4729" + ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-ped_high_count_user_account_management_events", + "job_id": "ped_high_count_user_account_management_events", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ped_high_count_user_account_management_events", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "enabled-user-account", + "added-user-account", + "deleted-user-account", + "disabled-user-account" + ] + } + }, + { + "terms": { + "event.code": [ + "4722", + "4720", + "4726", + "4725" + ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-ped_rare_privilege_assigned_to_user", + "job_id": "ped_rare_privilege_assigned_to_user", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ped_rare_privilege_assigned_to_user", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "privilege_type" + } + } + ] + } + } + } + }, + { + "id": "datafeed-ped_rare_group_name_by_user", + "job_id": "ped_rare_group_name_by_user", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ped_rare_group_name_by_user", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "added-member-to-group", + "removed-member-from-group" + ] + } + }, + { + "terms": { + "event.code": [ + "4732", + "4728", + "4756", + "4733", + "4729" + ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-ped_rare_device_by_user", + "job_id": "ped_rare_device_by_user", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ped_rare_device_by_user", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "exists": { + "field": "host.name" + } + }, + { + "exists": { + "field": "user.name" + } + }, + { + "terms": { + "event.code": [ + "4720", + "4726", + "4722", + "4756", + "4672", + "4673", + "4674", + "4720", + "4728", + "4732", + "4756", + "624", + "632", + "636", + "660", + "4725", + "4723", + "4648", + "4688", + "4729", + "4733", + "4757", + "637", + "661" + ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-ped_rare_source_ip_by_user", + "job_id": "ped_rare_source_ip_by_user", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ped_rare_source_ip_by_user", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "user.name" + } + }, + { + "terms": { + "event.code": [ + "4720", + "4726", + "4722", + "4756", + "4672", + "4673", + "4674", + "4720", + "4728", + "4732", + "4756", + "624", + "632", + "636", + "660", + "4725", + "4723", + "4648", + "4688", + "4729", + "4733", + "4757", + "637", + "661" + ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-ped_rare_region_name_by_user", + "job_id": "ped_rare_region_name_by_user", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ped_rare_region_name_by_user", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "exists": { + "field": "source.geo.region_name" + } + }, + { + "exists": { + "field": "user.name" + } + }, + { + "terms": { + "event.code": [ + "4720", + "4726", + "4722", + "4756", + "4672", + "4673", + "4674", + "4720", + "4728", + "4732", + "4756", + "624", + "632", + "636", + "660", + "4725", + "4723", + "4648", + "4688", + "4729", + "4733", + "4757", + "637", + "661" + ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-ped_unusual_time_of_week_for_privileged_events", + "job_id": "ped_unusual_time_of_week_for_privileged_events", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ped_unusual_time_of_week_for_privileged_events", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "exists": { + "field": "user.name" + } + }, + { + "terms": { + "event.code": [ + "4720", + "4726", + "4722", + "4756", + "4672", + "4673", + "4674", + "4720", + "4728", + "4732", + "4756", + "624", + "632", + "636", + "660", + "4725", + "4723", + "4648", + "4688", + "4729", + "4733", + "4757", + "637", + "661" + ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-ped_linux_high_count_privileged_events_by_user", + "job_id": "ped_linux_high_count_privileged_events_by_user", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ped_linux_high_count_privileged_events_by_user", + "query": { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "linux", + "Linux" + ] + } + }, + { + "term": { + "event.category": "process" + } + }, + { + "terms": { + "event.type": [ + "start", + "change" + ] + } + }, + { + "bool": { + "should": [ + { + "wildcard": { + "process.command_line": "*sudo*root*" + } + }, + { + "wildcard": { + "process.command_line": "*sudo*etc*" + } + }, + { + "wildcard": { + "process.command_line": "*sudo*visudo*" + } + }, + { + "wildcard": { + "process.command_line": "*timestamp_timeout=-1*" + } + }, + { + "wildcard": { + "process.command_line": "*tty_tickets*" + } + }, + { + "wildcard": { + "process.command_line": "*etc/cron.d*" + } + }, + { + "wildcard": { + "process.command_line": "*var/spool/cron*" + } + }, + { + "wildcard": { + "process.command_line": "*chmod*cron.d*" + } + }, + { + "wildcard": { + "process.command_line": "* trap *" + } + }, + { + "wildcard": { + "process.command_line": "*LD_PRELOAD*" + } + }, + { + "wildcard": { + "process.command_line": "*ld.so.preload*" + } + }, + { + "wildcard": { + "process.command_line": "*chmod*u+s*" + } + }, + { + "wildcard": { + "process.command_line": "*chmod*g+s*" + } + }, + { + "wildcard": { + "process.command_line": "*setcap*setuid*" + } + }, + { + "wildcard": { + "process.command_line": "*setcap*setgid*" + } + }, + { + "wildcard": { + "process.command_line": "*find*perm*4000*" + } + }, + { + "wildcard": { + "process.command_line": "*find*perm*2000*" + } + }, + { + "wildcard": { + "process.command_line": "* gcc *" + } + }, + { + "wildcard": { + "process.command_line": "* cc *" + } + }, + { + "wildcard": { + "process.command_line": "*/root/.ssh/authorized_keys*" + } + }, + { + "wildcard": { + "process.command_line": "*insmod*.*.ko" + } + }, + { + "wildcard": { + "process.command_line": "*systemctl*start*" + } + }, + { + "wildcard": { + "process.command_line": "*systemctl*enable*" + } + }, + { + "wildcard": { + "process.command_line": "*systemd*start*" + } + }, + { + "wildcard": { + "process.command_line": "*systemd*enable*" + } + }, + { + "wildcard": { + "process.command_line": "*systemd*timer*" + } + }, + { + "wildcard": { + "process.command_line": "*systemd*service*" + } + }, + { + "wildcard": { + "process.command_line": "*systemctl*timer*" + } + }, + { + "wildcard": { + "process.command_line": "*systemctl*service*" + } + }, + { + "wildcard": { + "process.command_line": "*echo*.bash_profile*" + } + }, + { + "wildcard": { + "process.command_line": "*echo*.bashrc*" + } + }, + { + "wildcard": { + "process.command_line": "*echo*.shrc*" + } + }, + { + "wildcard": { + "process.command_line": "*echo*/etc/profile*" + } + }, + { + "wildcard": { + "process.command_line": "*echo*.bash_logout*" + } + }, + { + "wildcard": { + "process.command_line": "*echo*/etc/rc.*" + } + }, + { + "wildcard": { + "process.command_line": "*systemctl*restart*" + } + }, + { + "wildcard": { + "process.command_line": "*systemctl*daemon-reload*" + } + }, + { + "wildcard": { + "process.command_line": "*etc/init.d/*" + } + }, + { + "wildcard": { + "process.command_line": "* echo * at * now *" + } + }, + { + "wildcard": { + "process.command_line": "*useradd*" + } + }, + { + "wildcard": { + "process.command_line": "*passwd*" + } + }, + { + "wildcard": { + "process.command_line": "*pw mod user*" + } + }, + { + "wildcard": { + "process.command_line": "*pw unlock*" + } + }, + { + "wildcard": { + "process.command_line": "*usermod*" + } + }, + { + "wildcard": { + "process.command_line": "*sudo*nobody*" + } + }, + { + "wildcard": { + "process.command_line": "*su*nobody*" + } + } + ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-ped_linux_rare_process_executed_by_user", + "job_id": "ped_linux_rare_process_executed_by_user", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ped_linux_rare_process_executed_by_user", + "query": { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "linux", + "Linux" + ] + } + }, + { + "term": { + "event.category": "process" + } + }, + { + "terms": { + "event.type": [ + "start", + "change" + ] + } + }, + { + "bool": { + "should": [ + { + "wildcard": { + "process.command_line": "*sudo*root*" + } + }, + { + "wildcard": { + "process.command_line": "*sudo*etc*" + } + }, + { + "wildcard": { + "process.command_line": "*sudo*visudo*" + } + }, + { + "wildcard": { + "process.command_line": "*timestamp_timeout=-1*" + } + }, + { + "wildcard": { + "process.command_line": "*tty_tickets*" + } + }, + { + "wildcard": { + "process.command_line": "*etc/cron.d*" + } + }, + { + "wildcard": { + "process.command_line": "*var/spool/cron*" + } + }, + { + "wildcard": { + "process.command_line": "*chmod*cron.d*" + } + }, + { + "wildcard": { + "process.command_line": "* trap *" + } + }, + { + "wildcard": { + "process.command_line": "*LD_PRELOAD*" + } + }, + { + "wildcard": { + "process.command_line": "*ld.so.preload*" + } + }, + { + "wildcard": { + "process.command_line": "*chmod*u+s*" + } + }, + { + "wildcard": { + "process.command_line": "*chmod*g+s*" + } + }, + { + "wildcard": { + "process.command_line": "*setcap*setuid*" + } + }, + { + "wildcard": { + "process.command_line": "*setcap*setgid*" + } + }, + { + "wildcard": { + "process.command_line": "*find*perm*4000*" + } + }, + { + "wildcard": { + "process.command_line": "*find*perm*2000*" + } + }, + { + "wildcard": { + "process.command_line": "* gcc *" + } + }, + { + "wildcard": { + "process.command_line": "* cc *" + } + }, + { + "wildcard": { + "process.command_line": "*/root/.ssh/authorized_keys*" + } + }, + { + "wildcard": { + "process.command_line": "*insmod*.*.ko" + } + }, + { + "wildcard": { + "process.command_line": "*systemctl*start*" + } + }, + { + "wildcard": { + "process.command_line": "*systemctl*enable*" + } + }, + { + "wildcard": { + "process.command_line": "*systemd*start*" + } + }, + { + "wildcard": { + "process.command_line": "*systemd*enable*" + } + }, + { + "wildcard": { + "process.command_line": "*systemd*timer*" + } + }, + { + "wildcard": { + "process.command_line": "*systemd*service*" + } + }, + { + "wildcard": { + "process.command_line": "*systemctl*timer*" + } + }, + { + "wildcard": { + "process.command_line": "*systemctl*service*" + } + }, + { + "wildcard": { + "process.command_line": "*echo*.bash_profile*" + } + }, + { + "wildcard": { + "process.command_line": "*echo*.bashrc*" + } + }, + { + "wildcard": { + "process.command_line": "*echo*.shrc*" + } + }, + { + "wildcard": { + "process.command_line": "*echo*/etc/profile*" + } + }, + { + "wildcard": { + "process.command_line": "*echo*.bash_logout*" + } + }, + { + "wildcard": { + "process.command_line": "*echo*/etc/rc.*" + } + }, + { + "wildcard": { + "process.command_line": "*systemctl*restart*" + } + }, + { + "wildcard": { + "process.command_line": "*systemctl*daemon-reload*" + } + }, + { + "wildcard": { + "process.command_line": "*etc/init.d/*" + } + }, + { + "wildcard": { + "process.command_line": "* echo * at * now *" + } + }, + { + "wildcard": { + "process.command_line": "*useradd*" + } + }, + { + "wildcard": { + "process.command_line": "*passwd*" + } + }, + { + "wildcard": { + "process.command_line": "*pw mod user*" + } + }, + { + "wildcard": { + "process.command_line": "*pw unlock*" + } + }, + { + "wildcard": { + "process.command_line": "*usermod*" + } + }, + { + "wildcard": { + "process.command_line": "*sudo*nobody*" + } + }, + { + "wildcard": { + "process.command_line": "*su*nobody*" + } + } + ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-ped_linux_high_info_content_in_command_line_by_user", + "job_id": "ped_linux_high_info_content_in_command_line_by_user", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ped_linux_high_info_content_in_command_line_by_user", + "query": { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "linux", + "Linux" + ] + } + }, + { + "term": { + "event.category": "process" + } + }, + { + "terms": { + "event.type": [ + "start", + "change" + ] + } + }, + { + "bool": { + "should": [ + { + "wildcard": { + "process.command_line": "*sudo*root*" + } + }, + { + "wildcard": { + "process.command_line": "*sudo*etc*" + } + }, + { + "wildcard": { + "process.command_line": "*sudo*visudo*" + } + }, + { + "wildcard": { + "process.command_line": "*timestamp_timeout=-1*" + } + }, + { + "wildcard": { + "process.command_line": "*tty_tickets*" + } + }, + { + "wildcard": { + "process.command_line": "*etc/cron.d*" + } + }, + { + "wildcard": { + "process.command_line": "*var/spool/cron*" + } + }, + { + "wildcard": { + "process.command_line": "*chmod*cron.d*" + } + }, + { + "wildcard": { + "process.command_line": "* trap *" + } + }, + { + "wildcard": { + "process.command_line": "*LD_PRELOAD*" + } + }, + { + "wildcard": { + "process.command_line": "*ld.so.preload*" + } + }, + { + "wildcard": { + "process.command_line": "*chmod*u+s*" + } + }, + { + "wildcard": { + "process.command_line": "*chmod*g+s*" + } + }, + { + "wildcard": { + "process.command_line": "*setcap*setuid*" + } + }, + { + "wildcard": { + "process.command_line": "*setcap*setgid*" + } + }, + { + "wildcard": { + "process.command_line": "*find*perm*4000*" + } + }, + { + "wildcard": { + "process.command_line": "*find*perm*2000*" + } + }, + { + "wildcard": { + "process.command_line": "* gcc *" + } + }, + { + "wildcard": { + "process.command_line": "* cc *" + } + }, + { + "wildcard": { + "process.command_line": "*/root/.ssh/authorized_keys*" + } + }, + { + "wildcard": { + "process.command_line": "*insmod*.*.ko" + } + }, + { + "wildcard": { + "process.command_line": "*systemctl*start*" + } + }, + { + "wildcard": { + "process.command_line": "*systemctl*enable*" + } + }, + { + "wildcard": { + "process.command_line": "*systemd*start*" + } + }, + { + "wildcard": { + "process.command_line": "*systemd*enable*" + } + }, + { + "wildcard": { + "process.command_line": "*systemd*timer*" + } + }, + { + "wildcard": { + "process.command_line": "*systemd*service*" + } + }, + { + "wildcard": { + "process.command_line": "*systemctl*timer*" + } + }, + { + "wildcard": { + "process.command_line": "*systemctl*service*" + } + }, + { + "wildcard": { + "process.command_line": "*echo*.bash_profile*" + } + }, + { + "wildcard": { + "process.command_line": "*echo*.bashrc*" + } + }, + { + "wildcard": { + "process.command_line": "*echo*.shrc*" + } + }, + { + "wildcard": { + "process.command_line": "*echo*/etc/profile*" + } + }, + { + "wildcard": { + "process.command_line": "*echo*.bash_logout*" + } + }, + { + "wildcard": { + "process.command_line": "*echo*/etc/rc.*" + } + }, + { + "wildcard": { + "process.command_line": "*systemctl*restart*" + } + }, + { + "wildcard": { + "process.command_line": "*systemctl*daemon-reload*" + } + }, + { + "wildcard": { + "process.command_line": "*etc/init.d/*" + } + }, + { + "wildcard": { + "process.command_line": "* echo * at * now *" + } + }, + { + "wildcard": { + "process.command_line": "*useradd*" + } + }, + { + "wildcard": { + "process.command_line": "*passwd*" + } + }, + { + "wildcard": { + "process.command_line": "*pw mod user*" + } + }, + { + "wildcard": { + "process.command_line": "*pw unlock*" + } + }, + { + "wildcard": { + "process.command_line": "*usermod*" + } + }, + { + "wildcard": { + "process.command_line": "*sudo*nobody*" + } + }, + { + "wildcard": { + "process.command_line": "*su*nobody*" + } + } + ] + } + } + ] + } + } + } + } + ] + }, + "id": "ped-ml", + "migrationVersion": { + "search": "7.16.0" + }, + "references": [], + "type": "ml-module" +} \ No newline at end of file diff --git a/packages/privileged_access/manifest.yml b/packages/privileged_access/manifest.yml new file mode 100644 index 000000000000..e0d653ee24fc --- /dev/null +++ b/packages/privileged_access/manifest.yml @@ -0,0 +1,31 @@ +format_version: 3.0.0 +name: privileged_access +title: "Privileged Access Detection" +version: 0.0.1 +source: + license: "Elastic-2.0" +description: "ML package to detect anomalous Privileged Access" +type: integration +categories: + - security + - advanced_analytics_ueba +conditions: + kibana: + version: "^8.18.0" + elastic: + subscription: platinum + capabilities: + - security +screenshots: + - src: # TODO: + title: Anomaly detection alerts + size: 600x600 + type: image/png +icons: + - src: /img/icon-machine-learning.svg + title: Sample logo + size: 32x32 + type: image/svg+xml +owner: + github: elastic/sec-applied-ml + type: elastic \ No newline at end of file