New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Data Exfiltration Detection] Update and add anomaly detection jobs and security rules #6577
Conversation
I am a little skeptical to add |
💚 Build Succeeded
History
|
I feel that I'd avoid creating a lot of false positives for new hosts 🤔 re: 2nd question, in the description's second point, Lastly, is it possible to explain how the Airdrop was tested? |
@susan-shu-c
Tested by setting up a macOS VM using Parallels desktop and also confirmed with Ricardo Ungureanu. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall looks like some great updates here. Left a couple of comments on the detector descriptions and the influencers for one of the ML jobs.
"analysis_config": { | ||
"bucket_span": "3h", | ||
"detectors": [ | ||
{ | ||
"detector_description": "high_sum(\"source.bytes\") over \"destination.geo.city_name\"", | ||
"detector_description": "high_sum(\"source.bytes\") over \"destination.geo.country_iso_code\"", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All the detectors in the jobs are using the default descriptions which are not always the most user-friendly. These are used in various places in the UI - for example in the ML anomalies table. Any thoughts on going with something which is closer to the form of text used in the job descriptions? For example High bytes sent to an unusual country_iso_code
? I know we often go with the defaults, but just wondering if there is something we could do here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TBH, I didn't try to touch them as we always followed the default for these jobs. I'm down trying simple text as a descriptor, but IDK, If it's okay to deviate one package's structure from the rest.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd agree with Pete. We've switched to what he's suggesting for our pre-built ML rules. I'd say let's change this package to begin with, and also update others in later versions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The new detector descriptions look good!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Love the new detections! Made some minor comments.
"analysis_config": { | ||
"bucket_span": "3h", | ||
"detectors": [ | ||
{ | ||
"detector_description": "high_sum(\"source.bytes\") over \"destination.geo.city_name\"", | ||
"detector_description": "high_sum(\"source.bytes\") over \"destination.geo.country_iso_code\"", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd agree with Pete. We've switched to what he's suggesting for our pre-built ML rules. I'd say let's change this package to begin with, and also update others in later versions.
packages/ded/kibana/security_rule/798c1290-6411-486e-bc85-7ae9fe826aaf.json
Outdated
Show resolved
Hide resolved
packages/ded/kibana/security_rule/7a342a6b-58df-4832-919d-d4bd681e3138.json
Outdated
Show resolved
Hide resolved
packages/ded/kibana/security_rule/da5cd97e-7f3c-40dc-9183-7ef1270e8817.json
Outdated
Show resolved
Hide resolved
Co-authored-by: Apoorva Joshi <30438249+ajosh0504@users.noreply.github.com>
…681e3138.json Co-authored-by: Apoorva Joshi <30438249+ajosh0504@users.noreply.github.com>
…270e8817.json Co-authored-by: Apoorva Joshi <30438249+ajosh0504@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changes for the ML jobs LGTM
Made the following changes based on my discussion with Dian:
Haven't changed the partition by field in the exfiltration to external device jobs. Let me know the consensus of folks in using |
To document our discussion: Seems that especially for the device anomalies e.g. USB, airdrop, host-based is more useful. And user is added as an influencer. [Edit] I originally deferred to Dain for now on using |
} | ||
}, | ||
{ | ||
"bool":{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you need this bool? Also do you have to check for existence of source bytes and destination fields? Are they not present in all network events?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not all network events has source.bytes
and destination
packages/ded/kibana/security_rule/5576098d-650d-4b0f-a3a1-48b5b0ce4f15.json
Outdated
Show resolved
Hide resolved
packages/ded/kibana/security_rule/8d4e2e5f-982b-4e8d-b765-a10d648efc33.json
Outdated
Show resolved
Hide resolved
packages/ded/kibana/security_rule/b9d01e71-ac5d-4203-82ed-c1246d6c72c8.json
Outdated
Show resolved
Hide resolved
packages/ded/kibana/security_rule/798c1290-6411-486e-bc85-7ae9fe826aaf.json
Outdated
Show resolved
Hide resolved
Based on my discussion with @susan-shu-c and @ajosh0504, I am keeping the current |
Package ded - 1.0.3 containing this change is available at https://epr.elastic.co/search?package=ded |
2 things -
Either the partitioning needs to be removed or set to source.ip, or the detection needs to be specific to data that includes host.name. Otherwise the partitioning will be effectively based on packet beat data by host.name, and everything else (including non packetbeat data for the same hosts if any other network data is being ingested.) from an enterprise standpoint the idea of deploying packetbeat / network capture widely, instead of sensors or netflow, is resource prohibitive, and nothing I would ever want to implement in the real world. |
Also if Packetbeat is used as a sensor (e.g. spanning a network tap) every doc will have the same host.name (the host name of the device receiving the network span) |
@dainperkins the partitionings on network exfil jobs are already removed.
From an ML standpoint, we think it's better to use |
sorry - thought the following was in regards to all the jobs:
|
What does this PR do?
Checklist
changelog.yml
file.Author's Checklist
How to test this PR locally
Related issues
Screenshots
Find them in the comment section