From 5ed42978f8f4471f1f1852ffe90e04bcbb0713e6 Mon Sep 17 00:00:00 2001 From: Kirti Sodhi <109447885+sodhikirti07@users.noreply.github.com> Date: Tue, 26 Nov 2024 19:24:35 -0500 Subject: [PATCH] [ML] Adds new security module to detect anomalous activity in host-based logs (#195582) ## Summary Adds a new security module `Security: Host` to the prebuilt security jobs. The module has the following jobs: - Detect Spike in Host based traffic - Detect Decrease in Host based traffic --- .../modules/security_host/logo.json | 3 + .../modules/security_host/manifest.json | 60 +++++++++++++++++++ ...eed_high_count_events_for_a_host_name.json | 33 ++++++++++ ...feed_low_count_events_for_a_host_name.json | 33 ++++++++++ .../ml/high_count_events_for_a_host_name.json | 29 +++++++++ .../ml/low_count_events_for_a_host_name.json | 29 +++++++++ .../apis/ml/modules/get_module.ts | 2 + .../apis/ml/modules/recognize_module.ts | 1 + .../services/ml/supplied_configurations.ts | 2 +- 9 files changed, 191 insertions(+), 1 deletion(-) create mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/security_host/logo.json create mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/security_host/manifest.json create mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/security_host/ml/datafeed_high_count_events_for_a_host_name.json create mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/security_host/ml/datafeed_low_count_events_for_a_host_name.json create mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/security_host/ml/high_count_events_for_a_host_name.json create mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/security_host/ml/low_count_events_for_a_host_name.json diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_host/logo.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_host/logo.json new file mode 100644 index 0000000000000..862f970b7405d --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_host/logo.json @@ -0,0 +1,3 @@ +{ + "icon": "logoSecurity" +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_host/manifest.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_host/manifest.json new file mode 100644 index 0000000000000..46d35c3761b6e --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_host/manifest.json @@ -0,0 +1,60 @@ +{ + "id": "security_host", + "title": "Security: Host", + "description": "Detect anomalous activity in your ECS-compatible host-based logs.", + "type": "Host data", + "logoFile": "logo.json", + "defaultIndexPattern": "auditbeat-*,logs-*,filebeat-*,winlogbeat-*", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "event.category" + } + }, + { + "exists": { + "field": "host.name" + } + }, + { + "exists": { + "field": "event.dataset" + } + }, + { + "term": { + "event.outcome": "success" + } + } + ], + "must_not": { "terms": { "_tier": ["data_frozen", "data_cold"] } } + } + }, + "jobs": [ + { + "id": "high_count_events_for_a_host_name", + "file": "high_count_events_for_a_host_name.json" + }, + { + "id": "low_count_events_for_a_host_name", + "file": "low_count_events_for_a_host_name.json" + } + ], + "datafeeds": [ + { + "id": "datafeed-high_count_events_for_a_host_name", + "file": "datafeed_high_count_events_for_a_host_name.json", + "job_id": "high_count_events_for_a_host_name" + }, + { + "id": "datafeed-low_count_events_for_a_host_name", + "file": "datafeed_low_count_events_for_a_host_name.json", + "job_id": "low_count_events_for_a_host_name" + } + ], + "tags": [ + "security" + ] +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_host/ml/datafeed_high_count_events_for_a_host_name.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_host/ml/datafeed_high_count_events_for_a_host_name.json new file mode 100644 index 0000000000000..2e6792469a2cd --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_host/ml/datafeed_high_count_events_for_a_host_name.json @@ -0,0 +1,33 @@ +{ + "job_id": "JOB_ID", + "indices": [ + "INDEX_PATTERN_NAME" + ], + "max_empty_searches": 10, + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "event.category" + } + }, + { + "exists": { + "field": "host.name" + } + }, + { + "exists": { + "field": "event.dataset" + } + }, + { + "term": { + "event.outcome": "success" + } + } + ] + } + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_host/ml/datafeed_low_count_events_for_a_host_name.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_host/ml/datafeed_low_count_events_for_a_host_name.json new file mode 100644 index 0000000000000..2e6792469a2cd --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_host/ml/datafeed_low_count_events_for_a_host_name.json @@ -0,0 +1,33 @@ +{ + "job_id": "JOB_ID", + "indices": [ + "INDEX_PATTERN_NAME" + ], + "max_empty_searches": 10, + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "event.category" + } + }, + { + "exists": { + "field": "host.name" + } + }, + { + "exists": { + "field": "event.dataset" + } + }, + { + "term": { + "event.outcome": "success" + } + } + ] + } + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_host/ml/high_count_events_for_a_host_name.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_host/ml/high_count_events_for_a_host_name.json new file mode 100644 index 0000000000000..f103d2b34c5ad --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_host/ml/high_count_events_for_a_host_name.json @@ -0,0 +1,29 @@ +{ + "description": "Security: Host - Looks for a sudden spike in host based traffic. This can be due to a range of security issues, such as a compromised system, DDoS attacks, malware infections, privilege escalation, or data exfiltration.", + "groups": ["security", "host"], + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "high count of host based events", + "function": "high_count", + "partition_field_name": "host.name", + "detector_index": 0 + } + ], + "influencers": ["host.name", "host.ip", "event.dataset", "event.action", "event.category"] + }, + "allow_lazy_open": true, + "analysis_limits": { + "model_memory_limit": "128mb" + }, + "data_description": { + "time_field": "@timestamp" + }, + "custom_settings": { + "created_by": "ml-module-security-host", + "security_app_display_name": "Spike in the Host Traffic", + "managed": true, + "job_revision": 1 + } +} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_host/ml/low_count_events_for_a_host_name.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_host/ml/low_count_events_for_a_host_name.json new file mode 100644 index 0000000000000..ae8bfd163826b --- /dev/null +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_host/ml/low_count_events_for_a_host_name.json @@ -0,0 +1,29 @@ +{ + "description": "Security: Host - Looks for a sudden drop in host based traffic. This can be due to a range of security issues, such as a compromised system, a failed service, or a network misconfiguration.", + "groups": ["security", "host"], + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "low count of host based events", + "function": "low_count", + "partition_field_name": "host.name", + "detector_index": 0 + } + ], + "influencers": ["host.name", "host.ip", "event.dataset", "event.action", "event.category"] + }, + "allow_lazy_open": true, + "analysis_limits": { + "model_memory_limit": "128mb" + }, + "data_description": { + "time_field": "@timestamp" + }, + "custom_settings": { + "created_by": "ml-module-security-host", + "security_app_display_name": "Decrease in the Host Traffic", + "managed": true, + "job_revision": 1 + } +} diff --git a/x-pack/test/api_integration/apis/ml/modules/get_module.ts b/x-pack/test/api_integration/apis/ml/modules/get_module.ts index ee223eb0de3eb..d8f3ce7365260 100644 --- a/x-pack/test/api_integration/apis/ml/modules/get_module.ts +++ b/x-pack/test/api_integration/apis/ml/modules/get_module.ts @@ -28,6 +28,7 @@ const moduleIds = [ 'sample_data_weblogs', 'security_auth', 'security_cloudtrail', + 'security_host', 'security_linux_v3', 'security_network', 'security_packetbeat', @@ -41,6 +42,7 @@ const securityModuleIds = [ 'logs_ui_categories', 'security_auth', 'security_cloudtrail', + 'security_host', 'security_linux_v3', 'security_network', 'security_packetbeat', diff --git a/x-pack/test/api_integration/apis/ml/modules/recognize_module.ts b/x-pack/test/api_integration/apis/ml/modules/recognize_module.ts index 31dd5f3354635..3daa5e73f308a 100644 --- a/x-pack/test/api_integration/apis/ml/modules/recognize_module.ts +++ b/x-pack/test/api_integration/apis/ml/modules/recognize_module.ts @@ -135,6 +135,7 @@ export default ({ getService }: FtrProviderContext) => { responseCode: 200, moduleIds: [ 'security_auth', + 'security_host', 'security_linux_v3', 'security_network', 'security_windows_v3', diff --git a/x-pack/test/functional/services/ml/supplied_configurations.ts b/x-pack/test/functional/services/ml/supplied_configurations.ts index 622d662994533..ff92877fcc4b3 100644 --- a/x-pack/test/functional/services/ml/supplied_configurations.ts +++ b/x-pack/test/functional/services/ml/supplied_configurations.ts @@ -27,7 +27,7 @@ export function MachineLearningSuppliedConfigurationsProvider({ getService }: Ft ); }, async assertAllConfigurationsAreLoaded() { - const expectedLength = 18; + const expectedLength = 19; await retry.tryForTime(10 * 1000, async () => { const cards = await testSubjects.findAll('mlSuppliedConfigurationsCard'); expect(cards.length).to.eql(