nldcsc-elastic-rules 0.0.8__py3-none-any.whl

nldcsc_elastic_rules/rules/integrations/beaconing/command_and_control_beaconing.toml

@@ -0,0 +1,113 @@
+[metadata]
+creation_date = "2023/09/22"
+integration = ["beaconing", "endpoint", "network_traffic"]
+maturity = "production"
+updated_date = "2025/01/15"
+
+[rule]
+author = ["Elastic"]
+description = """
+A statistical model has identified command-and-control (C2) beaconing activity. Beaconing can help attackers maintain
+stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain
+persistence in a network.
+"""
+from = "now-1h"
+index = ["ml_beaconing.all"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Statistical Model Detected C2 Beaconing Activity"
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/beaconing",
+    "https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic",
+]
+risk_score = 21
+rule_id = "5397080f-34e5-449b-8e9c-4c8083d7ccc6"
+setup = """## Setup
+
+The rule requires the Network Beaconing Identification integration assets to be installed, as well as network logs collected by the Elastic Defend or Network Packet Capture integrations.
+
+### Network Beaconing Identification Setup
+The Network Beaconing Identification integration consists of a statistical framework to identify C2 beaconing activity in network logs.
+
+#### Prerequisite Requirements:
+- Fleet is required for Network Beaconing Identification.
+- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
+- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.
+- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
+
+#### The following steps should be executed to install assets associated with the Network Beaconing Identification integration:
+- Go to the Kibana homepage. Under Management, click Integrations.
+- In the query bar, search for Network Beaconing Identification and select the integration to see more details about it.
+- Follow the instructions under the **Installation** section.
+"""
+severity = "low"
+tags = ["Domain: Network", "Use Case: C2 Beaconing Detection", "Tactic: Command and Control", "Resources: Investigation Guide"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+beacon_stats.is_beaconing: true and
+not process.name: ("WaAppAgent.exe" or "metricbeat.exe" or "packetbeat.exe" or "WindowsAzureGuestAgent.exe" or "HealthService.exe" or "Widgets.exe" or "lsass.exe" or "msedgewebview2.exe" or
+                   "MsMpEng.exe" or "OUTLOOK.EXE" or "msteams.exe" or "FileSyncHelper.exe" or "SearchProtocolHost.exe" or "Creative Cloud.exe" or "ms-teams.exe" or "ms-teamsupdate.exe" or
+                   "curl.exe" or "rundll32.exe" or "MsSense.exe" or "wermgr.exe" or "java" or "olk.exe" or "iexplore.exe" or "NetworkManager" or "packetbeat" or "Ssms.exe" or "NisSrv.exe" or
+                   "gamingservices.exe" or "appidcertstorecheck.exe" or "POWERPNT.EXE" or "miiserver.exe" or "Grammarly.Desktop.exe" or "SnagitEditor.exe" or "CRWindowsClientService.exe" or
+                   "agentbeat" or "dnf" or "yum" or "apt"
+                  )
+'''
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Statistical Model Detected C2 Beaconing Activity
+
+Statistical models analyze network traffic patterns to identify anomalies indicative of C2 beaconing, a tactic used by attackers to maintain covert communication with compromised systems. Adversaries exploit this by sending periodic signals to C2 servers, often mimicking legitimate traffic. The detection rule leverages statistical analysis to flag unusual beaconing while excluding known benign processes, thus highlighting potential threats without overwhelming analysts with false positives.
+
+### Possible investigation steps
+
+- Review the network traffic logs to identify the source and destination IP addresses associated with the beaconing activity flagged by the statistical model.
+- Cross-reference the identified IP addresses with threat intelligence databases to determine if they are associated with known malicious C2 servers.
+- Analyze the frequency and pattern of the beaconing signals to assess whether they mimic legitimate traffic or exhibit characteristics typical of C2 communication.
+- Investigate the processes running on the source system to identify any suspicious or unauthorized applications that may be responsible for the beaconing activity.
+- Check for any recent changes or anomalies in the system's configuration or installed software that could indicate a compromise.
+- Examine the historical network activity of the source system to identify any other unusual patterns or connections that may suggest a broader compromise.
+
+### False positive analysis
+
+- The rule may flag legitimate processes that exhibit periodic network communication patterns similar to C2 beaconing. Processes like "metricbeat.exe" and "packetbeat.exe" are known to generate regular network traffic for monitoring purposes.
+- Users can manage these false positives by adding exceptions for these known benign processes in the detection rule, ensuring they are not flagged as threats.
+- Regularly review and update the list of excluded processes to include any new legitimate applications that may mimic beaconing behavior, reducing unnecessary alerts.
+- Consider implementing a whitelist approach for processes that are verified as non-threatening, allowing the statistical model to focus on truly anomalous activities.
+- Engage with network and security teams to understand the normal traffic patterns of your environment, which can help in refining the detection rule and minimizing false positives.
+
+### Response and remediation
+
+- Isolate the affected system from the network to prevent further communication with the C2 server and limit potential data exfiltration.
+- Terminate any suspicious processes identified by the alert that are not part of the known benign list, ensuring that any malicious activity is halted.
+- Conduct a thorough scan of the isolated system using updated antivirus and anti-malware tools to identify and remove any malicious software or files.
+- Review and analyze network logs to identify any other systems that may have communicated with the same C2 server, and apply similar containment measures to those systems.
+- Restore the affected system from a known good backup to ensure that any persistent threats are removed, and verify the integrity of the restored system.
+- Implement network segmentation to limit the ability of compromised systems to communicate with critical infrastructure and sensitive data.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional measures are needed to prevent recurrence."""
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1102"
+name = "Web Service"
+reference = "https://attack.mitre.org/techniques/T1102/"
+[[rule.threat.technique.subtechnique]]
+id = "T1102.002"
+name = "Bidirectional Communication"
+reference = "https://attack.mitre.org/techniques/T1102/002/"
+
+
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+

nldcsc_elastic_rules/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml

@@ -0,0 +1,108 @@
+[metadata]
+creation_date = "2023/09/22"
+integration = ["beaconing", "endpoint", "network_traffic"]
+maturity = "production"
+updated_date = "2025/01/15"
+
+[rule]
+author = ["Elastic"]
+description = """
+A statistical model has identified command-and-control (C2) beaconing activity with high confidence. Beaconing can help
+attackers maintain stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and
+maintain persistence in a network.
+"""
+from = "now-1h"
+index = ["ml_beaconing.all"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Statistical Model Detected C2 Beaconing Activity with High Confidence"
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/beaconing",
+    "https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic",
+]
+risk_score = 21
+rule_id = "0ab319ef-92b8-4c7f-989b-5de93c852e93"
+setup = """## Setup
+
+The rule requires the Network Beaconing Identification integration assets to be installed, as well as network logs collected by the Elastic Defend or Network Packet Capture integrations.
+
+### Network Beaconing Identification Setup
+The Network Beaconing Identification integration consists of a statistical framework to identify C2 beaconing activity in network logs.
+
+#### Prerequisite Requirements:
+- Fleet is required for Network Beaconing Identification.
+- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
+- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.
+- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
+
+#### The following steps should be executed to install assets associated with the Network Beaconing Identification integration:
+- Go to the Kibana homepage. Under Management, click Integrations.
+- In the query bar, search for Network Beaconing Identification and select the integration to see more details about it.
+- Follow the instructions under the **Installation** section.
+"""
+severity = "low"
+tags = ["Domain: Network", "Use Case: C2 Beaconing Detection", "Tactic: Command and Control", "Resources: Investigation Guide"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+beacon_stats.beaconing_score: 3
+'''
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Statistical Model Detected C2 Beaconing Activity with High Confidence
+
+Statistical models analyze network traffic patterns to identify anomalies indicative of C2 beaconing, a tactic where attackers maintain covert communication with compromised systems. Adversaries exploit this to issue commands, exfiltrate data, and sustain network presence. The detection rule leverages a high beaconing score to flag potential threats, aiding analysts in pinpointing suspicious activities linked to C2 operations.
+
+### Possible investigation steps
+
+- Review the network traffic logs to identify the source and destination IP addresses associated with the beaconing activity flagged by the beacon_stats.beaconing_score of 3.
+- Correlate the identified IP addresses with known malicious IP databases or threat intelligence feeds to determine if they are associated with known C2 servers.
+- Analyze the frequency and pattern of the beaconing activity to assess whether it aligns with typical C2 communication patterns, such as regular intervals or specific time frames.
+- Investigate the domain names involved in the communication to check for any associations with malicious activities or suspicious registrations.
+- Examine the payloads or data transferred during the flagged communication sessions to identify any potential exfiltration of sensitive information or receipt of malicious instructions.
+- Cross-reference the involved systems with internal asset inventories to determine if they are critical assets or have been previously flagged for suspicious activities.
+- Consult with the incident response team to decide on containment or remediation actions if the investigation confirms malicious C2 activity.
+
+### False positive analysis
+
+- Regularly scheduled software updates or patch management systems may generate network traffic patterns similar to C2 beaconing. Users can create exceptions for known update servers to reduce false positives.
+- Automated backup systems that frequently communicate with cloud storage services might be flagged. Identifying and excluding these backup services from the analysis can help mitigate this issue.
+- Network monitoring tools that periodically check connectivity or system health can mimic beaconing activity. Whitelisting these monitoring tools can prevent them from being incorrectly flagged.
+- Internal applications that use polling mechanisms to check for updates or status changes may trigger alerts. Documenting and excluding these applications from the rule can minimize false positives.
+- Frequent communication with trusted third-party services, such as content delivery networks, may appear as beaconing. Establishing a list of trusted domains and excluding them from the analysis can help manage this.
+
+### Response and remediation
+
+- Isolate the affected systems from the network to prevent further communication with the C2 server and contain the threat.
+- Conduct a thorough analysis of the network traffic logs to identify any additional compromised systems or lateral movement within the network.
+- Remove any malicious software or scripts identified on the compromised systems, ensuring all traces of the C2 communication channels are eradicated.
+- Apply security patches and updates to all affected systems to close any vulnerabilities exploited by the attackers.
+- Change all credentials and authentication tokens associated with the compromised systems to prevent unauthorized access.
+- Monitor the network for any signs of re-infection or continued C2 activity, using enhanced detection rules and updated threat intelligence.
+- Escalate the incident to the appropriate internal security team or external cybersecurity experts for further investigation and to assess the potential impact on the organization."""
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1102"
+name = "Web Service"
+reference = "https://attack.mitre.org/techniques/T1102/"
+[[rule.threat.technique.subtechnique]]
+id = "T1102.002"
+name = "Bidirectional Communication"
+reference = "https://attack.mitre.org/techniques/T1102/002/"
+
+
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+

nldcsc_elastic_rules/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml

@@ -0,0 +1,70 @@
+[metadata]
+creation_date = "2021/06/23"
+integration = ["cyberarkpas"]
+maturity = "production"
+promotion = true
+updated_date = "2025/01/15"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the occurrence of a CyberArk Privileged Access Security (PAS) error level audit event. The event.code
+correlates to the CyberArk Vault Audit Action Code.
+"""
+false_positives = ["To tune this rule, add exceptions to exclude any event.code which should not trigger this rule."]
+from = "now-30m"
+index = ["filebeat-*", "logs-cyberarkpas.audit*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "CyberArk Privileged Access Security Error"
+note = """## Setup
+
+The CyberArk Privileged Access Security (PAS) Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+
+## Triage and analysis
+
+This is a promotion rule for CyberArk error events, which are alertable events per the vendor.
+Consult vendor documentation on interpreting specific events.
+"""
+references = [
+    "https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASREF/Vault%20Audit%20Action%20Codes.htm?tocpath=Administration%7CReferences%7C_____3",
+]
+risk_score = 73
+rule_id = "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54"
+rule_name_override = "event.action"
+severity = "high"
+tags = [
+    "Data Source: CyberArk PAS",
+    "Use Case: Log Auditing",
+    "Use Case: Threat Detection",
+    "Tactic: Privilege Escalation",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:cyberarkpas.audit and event.type:error
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+

nldcsc_elastic_rules/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml

@@ -0,0 +1,73 @@
+[metadata]
+creation_date = "2021/06/23"
+integration = ["cyberarkpas"]
+maturity = "production"
+promotion = true
+updated_date = "2025/01/15"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the occurrence of a CyberArk Privileged Access Security (PAS) non-error level audit event which is
+recommended for monitoring by the vendor. The event.code correlates to the CyberArk Vault Audit Action Code.
+"""
+false_positives = ["To tune this rule, add exceptions to exclude any event.code which should not trigger this rule."]
+from = "now-30m"
+index = ["filebeat-*", "logs-cyberarkpas.audit*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "CyberArk Privileged Access Security Recommended Monitor"
+note = """## Setup
+
+The CyberArk Privileged Access Security (PAS) Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+
+## Triage and analysis
+
+This is a promotion rule for CyberArk events, which the vendor recommends should be monitored.
+Consult vendor documentation on interpreting specific events.
+"""
+references = [
+    "https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASREF/Vault%20Audit%20Action%20Codes.htm?tocpath=Administration%7CReferences%7C_____3#RecommendedActionCodesforMonitoring",
+]
+risk_score = 73
+rule_id = "c5f81243-56e0-47f9-b5bb-55a5ed89ba57"
+rule_name_override = "event.action"
+severity = "high"
+tags = [
+    "Data Source: CyberArk PAS",
+    "Use Case: Log Auditing",
+    "Use Case: Threat Detection",
+    "Tactic: Privilege Escalation",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:cyberarkpas.audit and
+  event.code:(4 or 22 or 24 or 31 or 38 or 57 or 60 or 130 or 295 or 300 or 302 or
+              308 or 319 or 344 or 346 or 359 or 361 or 378 or 380 or 411) and
+  not event.type:error
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+

nldcsc_elastic_rules/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml

@@ -0,0 +1,103 @@
+[metadata]
+creation_date = "2023/09/22"
+integration = ["ded", "endpoint", "network_traffic"]
+maturity = "production"
+updated_date = "2025/01/15"
+
+[rule]
+anomaly_threshold = 75
+author = ["Elastic"]
+description = """
+A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to
+geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command
+and control channels.
+"""
+from = "now-6h"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "ded_high_sent_bytes_destination_geo_country_iso_code"
+name = "Potential Data Exfiltration Activity to an Unusual ISO Code"
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/ded",
+    "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration",
+]
+risk_score = 21
+rule_id = "e1db8899-97c1-4851-8993-3a3265353601"
+setup = """## Setup
+
+The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only).
+
+### Data Exfiltration Detection Setup
+The Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature.
+
+#### Prerequisite Requirements:
+- Fleet is required for Data Exfiltration Detection.
+- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
+- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.
+- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
+
+#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:
+- Go to the Kibana homepage. Under Management, click Integrations.
+- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
+"""
+severity = "low"
+tags = [
+    "Use Case: Data Exfiltration Detection",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+    "Tactic: Exfiltration",
+    "Resources: Investigation Guide",
+]
+type = "machine_learning"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Potential Data Exfiltration Activity to an Unusual ISO Code
+
+Machine learning models analyze network traffic patterns to identify anomalies, such as data transfers to unexpected geo-locations. Adversaries exploit command and control channels to exfiltrate data to these unusual regions. The detection rule leverages ML to flag deviations from normal traffic, indicating potential exfiltration activities, thus aiding in early threat identification.
+
+### Possible investigation steps
+
+- Review the alert details to identify the specific unusual ISO code and geo-location involved in the data transfer.
+- Analyze network logs to determine the volume and frequency of data transfers to the identified geo-location, comparing it against baseline traffic patterns.
+- Investigate the source IP addresses and devices involved in the data transfer to assess whether they are legitimate or potentially compromised.
+- Check for any recent changes or anomalies in user behavior or access patterns associated with the source devices or accounts.
+- Correlate the alert with other security events or logs, such as authentication logs or endpoint detection alerts, to identify any related suspicious activities.
+- Consult threat intelligence sources to determine if the unusual geo-location is associated with known malicious activities or threat actors.
+
+### False positive analysis
+
+- Legitimate business operations involving data transfers to new or infrequent geo-locations may trigger false positives. Users should review these activities and whitelist known safe destinations.
+- Regularly scheduled data backups or transfers to international offices or cloud services can be mistaken for exfiltration. Implement exceptions for these routine operations by updating the model's baseline.
+- Temporary projects or collaborations with partners in unusual regions might cause alerts. Document these activities and adjust the detection parameters to accommodate such temporary changes.
+- Changes in business operations, such as expansion into new markets, can alter normal traffic patterns. Update the model to reflect these changes to prevent unnecessary alerts.
+- Use historical data to identify patterns of benign traffic to unusual regions and adjust the model's sensitivity to reduce false positives while maintaining security vigilance.
+
+### Response and remediation
+
+- Immediately isolate the affected systems from the network to prevent further data exfiltration.
+- Conduct a thorough analysis of the network traffic logs to identify the source and destination of the unusual data transfer, focusing on the specific geo-location flagged by the alert.
+- Block the identified IP addresses or domains associated with the unusual ISO code in the organization's firewall and intrusion prevention systems.
+- Review and update access controls and permissions to ensure that only authorized personnel have access to sensitive data, reducing the risk of unauthorized data transfers.
+- Restore any compromised systems from clean backups, ensuring that all security patches and updates are applied before reconnecting to the network.
+- Escalate the incident to the organization's security operations center (SOC) or incident response team for further investigation and to determine if additional systems or data were affected.
+- Implement enhanced monitoring and alerting for similar anomalies in network traffic to improve early detection of potential exfiltration activities in the future."""
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1041"
+name = "Exfiltration Over C2 Channel"
+reference = "https://attack.mitre.org/techniques/T1041/"
+
+
+[rule.threat.tactic]
+id = "TA0010"
+name = "Exfiltration"
+reference = "https://attack.mitre.org/tactics/TA0010/"
+

nldcsc_elastic_rules/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml

@@ -0,0 +1,102 @@
+[metadata]
+creation_date = "2023/09/22"
+integration = ["ded", "endpoint", "network_traffic"]
+maturity = "production"
+updated_date = "2025/01/15"
+
+[rule]
+anomaly_threshold = 75
+author = ["Elastic"]
+description = """
+A machine learning job has detected data exfiltration to a particular geo-location (by IP address). Data transfers to
+geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command
+and control channels.
+"""
+from = "now-6h"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "ded_high_sent_bytes_destination_ip"
+name = "Potential Data Exfiltration Activity to an Unusual IP Address"
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/ded",
+    "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration",
+]
+risk_score = 21
+rule_id = "cc653d77-ddd2-45b1-9197-c75ad19df66c"
+setup = """## Setup
+
+The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only).
+
+### Data Exfiltration Detection Setup
+The Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature.
+
+#### Prerequisite Requirements:
+- Fleet is required for Data Exfiltration Detection.
+- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
+- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.
+- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
+
+#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:
+- Go to the Kibana homepage. Under Management, click Integrations.
+- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
+"""
+severity = "low"
+tags = [
+    "Use Case: Data Exfiltration Detection",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+    "Tactic: Exfiltration",
+    "Resources: Investigation Guide",
+]
+type = "machine_learning"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Potential Data Exfiltration Activity to an Unusual IP Address
+
+Machine learning models analyze network traffic patterns to identify anomalies, such as data transfers to atypical geo-locations. Adversaries exploit command and control channels to exfiltrate data to these unusual IP addresses. This detection rule leverages ML to flag deviations from normal traffic, indicating potential exfiltration activities, thus aiding in early threat identification.
+
+### Possible investigation steps
+
+- Review the alert details to identify the unusual IP address and geo-location involved in the potential exfiltration activity.
+- Cross-reference the identified IP address with threat intelligence databases to determine if it is associated with known malicious activities or threat actors.
+- Analyze historical network traffic logs to determine if there have been previous connections to the same IP address or geo-location, and assess the volume and frequency of these connections.
+- Investigate the source device or user account associated with the alert to identify any unauthorized access or suspicious behavior leading up to the alert.
+- Check for any recent changes in network configurations or security policies that might have inadvertently allowed the data transfer to the unusual IP address.
+- Collaborate with the IT team to isolate the affected systems, if necessary, and prevent further data exfiltration while the investigation is ongoing.
+
+### False positive analysis
+
+- Legitimate business operations involving data transfers to new or infrequent geo-locations may trigger false positives. Users should review these activities and, if deemed non-threatening, add exceptions for these IP addresses.
+- Regularly scheduled data backups or transfers to cloud services located in different regions can be misidentified as exfiltration. Users can whitelist these services to prevent unnecessary alerts.
+- Remote work scenarios where employees connect from various locations might cause false positives. Implementing a policy to recognize and exclude known employee IP addresses can mitigate this issue.
+- Partner or vendor data exchanges that occur outside typical patterns should be evaluated. If these are routine and secure, users can create exceptions for these specific IP addresses to reduce false alerts.
+
+### Response and remediation
+
+- Isolate the affected systems immediately to prevent further data exfiltration. Disconnect them from the network to stop any ongoing communication with the unusual IP address.
+- Conduct a thorough analysis of the affected systems to identify any malicious software or unauthorized access points. Remove any identified threats and patch vulnerabilities.
+- Change all credentials and access keys that may have been compromised during the exfiltration activity. Ensure that new credentials follow best practices for security.
+- Review and update firewall rules and network access controls to block the identified unusual IP address and similar suspicious IP ranges.
+- Monitor network traffic closely for any signs of continued exfiltration attempts or communication with command and control channels. Use enhanced logging and alerting to detect any anomalies.
+- Escalate the incident to the organization's cybersecurity response team and, if necessary, report the breach to relevant authorities or regulatory bodies as per compliance requirements.
+- Conduct a post-incident review to identify gaps in the current security posture and implement measures to prevent recurrence, such as improving network segmentation and enhancing threat detection capabilities."""
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1041"
+name = "Exfiltration Over C2 Channel"
+reference = "https://attack.mitre.org/techniques/T1041/"
+
+
+[rule.threat.tactic]
+id = "TA0010"
+name = "Exfiltration"
+reference = "https://attack.mitre.org/tactics/TA0010/"
+