LoFP
/
ml
ml rule
Title
Tags
a misconfgured network application or firewall may trigger this alert. security scans or test cycles may trigger this alert.
ml
elastic
a misconfigured service account can trigger this alert. a password change on an account used by an email client can trigger this alert. security test cycles that include brute force or password spraying activities may trigger this alert.
t1110
ml
elastic
a new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert. users downloading and running programs from unusual locations, such as temporary directories, browser caches, or profile paths could trigger this alert.
t1204
t1543
ml
elastic
a newly installed program or one that rarely uses the network could trigger this alert.
ml
elastic
a newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert.
t1204
t1543
ml
elastic
a newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule.
t1552
ml
elastic
a newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule.
t1552
ml
elastic
build servers and ci systems can sometimes trigger this alert. security test cycles that include brute force or password spraying activities may trigger this alert.
t1078
t1110
ml
elastic
business travelers who roam to new locations may trigger this alert.
t1078
ml
elastic
business workflows that occur very occasionally, and involve a business relationship with an organization in a country that does not routinely appear in network events, can trigger this alert. a new business workflow with an organization in a country with which no workflows previously existed may trigger this alert - although the model will learn that the new destination country is no longer anomalous as the activity becomes ongoing. business travelers who roam to many countries for brief periods may trigger this alert.
ml
elastic
business workflows that occur very occasionally, and involve an unusual surge in network traffic, can trigger this alert. a new business workflow or a surge in business activity may trigger this alert. a misconfigured network application or firewall may trigger this alert.
ml
elastic
certain kinds of security testing may trigger this alert. powershell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this alert.
t1059
ml
elastic
dns domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded.
t1572
ml
elastic
security audits may trigger this alert. conditions that generate bursts of failed logins, such as misconfigured applications or account lockouts could trigger this alert.
t1110
ml
elastic
uncommon compiler activity can be due to an engineer running a local build on a production or staging instance in the course of troubleshooting or fixing a software issue.
t1588
ml
elastic
uncommon sudo activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.
t1548
ml
elastic
uncommon user activity can be due to an administrator or help desk technician logging onto a workstation or server in order to perform manual troubleshooting or reconfiguration.
t1078
ml
elastic
uncommon user activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.
t1078
ml
elastic
uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.
t1016
t1033
t1049
t1057
t1082
ml
elastic
uncommon user privilege elevation activity can be due to an administrator, help desk technician, or a user performing manual troubleshooting or reconfiguration.
ml
elastic
uncommon username activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.
t1078
ml
elastic
user accounts that are rarely active, such as a site reliability engineer (sre) or developer logging into a production server for troubleshooting, may trigger this alert. under some conditions, a newly created user account may briefly trigger this alert while the model is learning.
t1078
ml
elastic
users running scripts in the course of technical support operations of software upgrades could trigger this alert. a newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert.
t1543
ml
elastic
users working late, or logging in from unusual time zones while traveling, may trigger this rule.
t1078
ml
elastic
web activity that is uncommon, like security scans, may trigger this alert and may need to be excluded. a new or rarely used program that calls web services may trigger this alert.
t1071
ml
elastic
web activity that occurs rarely in small quantities can trigger this alert. possible examples are browsing technical support or vendor urls that are used very sparsely. a user who visits a new and unique web destination may trigger this alert when the activity is sparse. web applications that generate urls unique to a transaction may trigger this when they are used sparsely. web domains can be excluded in cases such as these.
t1071
ml
elastic
LoFP
/
ml