Sample rules
Anomalous Process For a Windows Population
- source: elastic
- technicques:
- T1204
- T1543
Description
Searches for rare processes running on multiple hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.
Detection logic
Anomalous Process For a Linux Population
- source: elastic
- technicques:
- T1543
Description
Searches for rare processes running on multiple Linux hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.
Detection logic
Unusual Process For a Linux Host
- source: elastic
- technicques:
- T1543
Description
Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.
Detection logic
Unusual Windows Service
- source: elastic
- technicques:
- T1543
Description
A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services, malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique services. This job helps detect malware and persistence mechanisms that have been installed and run as a service.
Detection logic
Unusual Process For a Windows Host
- source: elastic
- technicques:
- T1543
Description
Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.
Detection logic
Unusual DNS Activity
- source: elastic
- technicques:
- T1071
Description
A machine learning job detected a rare and unusual DNS query that indicate network activity with unusual DNS domains. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon domain. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.
Detection logic