PyPI - nldcsc-elastic-rules - Versions diffs - 0.0.8__py3-none-any.whl - Mend

nldcsc-elastic-rules 0.0.8__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1536) hide show

nldcsc_elastic_rules/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml ADDED Viewed

@@ -0,0 +1,102 @@
+[metadata]
+creation_date = "2023/09/22"
+integration = ["ded", "endpoint", "network_traffic"]
+maturity = "production"
+updated_date = "2025/01/15"
+[rule]
+anomaly_threshold = 75
+author = ["Elastic"]
+description = """
+A machine learning job has detected data exfiltration to a particular destination port. Data transfer patterns that are
+outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels.
+"""
+from = "now-6h"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "ded_high_sent_bytes_destination_port"
+name = "Potential Data Exfiltration Activity to an Unusual Destination Port"
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/ded",
+    "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration",
+]
+risk_score = 21
+rule_id = "ef8cc01c-fc49-4954-a175-98569c646740"
+setup = """## Setup
+The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only).
+### Data Exfiltration Detection Setup
+The Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature.
+#### Prerequisite Requirements:
+- Fleet is required for Data Exfiltration Detection.
+- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
+- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.
+- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
+#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:
+- Go to the Kibana homepage. Under Management, click Integrations.
+- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
+"""
+severity = "low"
+tags = [
+    "Use Case: Data Exfiltration Detection",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+    "Tactic: Exfiltration",
+    "Resources: Investigation Guide",
+]
+type = "machine_learning"
+note = """## Triage and analysis
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+### Investigating Potential Data Exfiltration Activity to an Unusual Destination Port
+Machine learning models analyze network traffic to identify anomalies, such as data transfers to uncommon destination ports, which may suggest exfiltration via command and control channels. Adversaries exploit these channels to stealthily siphon data. This detection rule leverages ML to flag deviations from normal traffic patterns, aiding in early identification of potential threats.
+### Possible investigation steps
+- Review the network traffic logs to identify the source IP address associated with the unusual destination port activity. Determine if this IP is known or expected within the organization's network.
+- Analyze the destination port and associated IP address to assess whether it is commonly used for legitimate purposes or if it is known for malicious activity. Cross-reference with threat intelligence databases if necessary.
+- Examine the volume and frequency of data transferred to the unusual destination port to identify any patterns or anomalies that deviate from normal behavior.
+- Investigate the user or system account associated with the source IP to determine if there are any signs of compromise or unauthorized access.
+- Check for any recent changes or updates in the network configuration or security policies that might explain the anomaly.
+- Correlate this event with other security alerts or logs to identify any related suspicious activities or patterns that could indicate a broader threat.
+### False positive analysis
+- Routine data transfers to external services using uncommon ports may trigger false positives. Identify and document these services to create exceptions in the monitoring system.
+- Internal applications that use non-standard ports for legitimate data transfers can be mistaken for exfiltration attempts. Regularly update the list of approved applications and their associated ports to minimize false alerts.
+- Scheduled data backups to cloud services or remote servers might use unusual ports. Verify these activities and configure the system to recognize them as non-threatening.
+- Development and testing environments often use non-standard ports for various operations. Ensure these environments are well-documented and excluded from exfiltration alerts when appropriate.
+- Collaborate with network administrators to maintain an updated inventory of all legitimate network activities and their corresponding ports, reducing the likelihood of false positives.
+### Response and remediation
+- Immediately isolate the affected system from the network to prevent further data exfiltration and contain the threat.
+- Conduct a thorough analysis of the network traffic logs to identify the scope of the exfiltration and determine if other systems are affected.
+- Block the identified unusual destination port at the network perimeter to prevent further unauthorized data transfers.
+- Review and update firewall and intrusion detection/prevention system (IDS/IPS) rules to block similar exfiltration attempts in the future.
+- Notify the incident response team and relevant stakeholders about the potential data breach for further investigation and escalation.
+- Perform a comprehensive scan of the affected system for malware or unauthorized software that may have facilitated the exfiltration.
+- Implement enhanced monitoring on the affected system and network segment to detect any further suspicious activity."""
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1041"
+name = "Exfiltration Over C2 Channel"
+reference = "https://attack.mitre.org/techniques/T1041/"
+[rule.threat.tactic]
+id = "TA0010"
+name = "Exfiltration"
+reference = "https://attack.mitre.org/tactics/TA0010/"

nldcsc_elastic_rules/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml ADDED Viewed

@@ -0,0 +1,103 @@
+[metadata]
+creation_date = "2023/09/22"
+integration = ["ded", "endpoint", "network_traffic"]
+maturity = "production"
+updated_date = "2025/01/15"
+[rule]
+anomaly_threshold = 75
+author = ["Elastic"]
+description = """
+A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to
+geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command
+and control channels.
+"""
+from = "now-6h"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "ded_high_sent_bytes_destination_region_name"
+name = "Potential Data Exfiltration Activity to an Unusual Region"
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/ded",
+    "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration",
+]
+risk_score = 21
+rule_id = "bfba5158-1fd6-4937-a205-77d96213b341"
+setup = """## Setup
+The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only).
+### Data Exfiltration Detection Setup
+The Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature.
+#### Prerequisite Requirements:
+- Fleet is required for Data Exfiltration Detection.
+- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
+- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.
+- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
+#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:
+- Go to the Kibana homepage. Under Management, click Integrations.
+- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
+"""
+severity = "low"
+tags = [
+    "Use Case: Data Exfiltration Detection",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+    "Tactic: Exfiltration",
+    "Resources: Investigation Guide",
+]
+type = "machine_learning"
+note = """## Triage and analysis
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+### Investigating Potential Data Exfiltration Activity to an Unusual Region
+Machine learning models analyze network traffic patterns to identify anomalies, such as data transfers to atypical regions. Adversaries exploit command and control channels to exfiltrate data to these regions, bypassing traditional security measures. This detection rule leverages ML to flag unusual geo-locations, indicating potential exfiltration activities, thus aiding in early threat identification.
+### Possible investigation steps
+- Review the geo-location details flagged by the alert to determine if the region is indeed unusual for the organization's typical network traffic patterns.
+- Analyze the network traffic logs associated with the alert to identify the volume and type of data being transferred to the unusual region.
+- Cross-reference the IP addresses involved in the data transfer with threat intelligence databases to check for any known malicious activity or associations.
+- Investigate the user accounts and devices involved in the data transfer to assess if they have been compromised or are exhibiting other suspicious behaviors.
+- Check for any recent changes in network configurations or security policies that might have inadvertently allowed data transfers to atypical regions.
+- Collaborate with the organization's IT and security teams to verify if there are legitimate business reasons for the data transfer to the flagged region.
+### False positive analysis
+- Legitimate business operations involving data transfers to new or infrequent regions may trigger false positives. Users should review and whitelist these regions if they are part of regular business activities.
+- Scheduled data backups or transfers to cloud services located in atypical regions can be mistaken for exfiltration. Identify and exclude these services from the rule's scope.
+- Remote work scenarios where employees connect from different regions might cause alerts. Maintain an updated list of remote work locations to prevent unnecessary alerts.
+- Partner or vendor data exchanges that occur outside usual geographic patterns should be documented and excluded if they are verified as non-threatening.
+- Temporary projects or collaborations with international teams may result in unusual data flows. Ensure these are accounted for in the rule's configuration to avoid false positives.
+### Response and remediation
+- Isolate the affected systems immediately to prevent further data exfiltration. Disconnect them from the network to stop ongoing communication with the unusual geo-location.
+- Conduct a thorough analysis of the network traffic logs to identify the scope of the exfiltration and determine which data was accessed or transferred.
+- Revoke any compromised credentials and enforce a password reset for affected accounts to prevent unauthorized access.
+- Implement geo-blocking measures to restrict data transfers to the identified unusual region, ensuring that only approved regions can communicate with the network.
+- Review and update firewall and intrusion detection system (IDS) rules to detect and block similar command and control traffic patterns in the future.
+- Escalate the incident to the security operations center (SOC) and relevant stakeholders, providing them with detailed findings and actions taken for further investigation and response.
+- Conduct a post-incident review to assess the effectiveness of the response and identify any gaps in the security posture, implementing necessary improvements to prevent recurrence."""
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1041"
+name = "Exfiltration Over C2 Channel"
+reference = "https://attack.mitre.org/techniques/T1041/"
+[rule.threat.tactic]
+id = "TA0010"
+name = "Exfiltration"
+reference = "https://attack.mitre.org/tactics/TA0010/"

nldcsc_elastic_rules/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml ADDED Viewed

@@ -0,0 +1,102 @@
+[metadata]
+creation_date = "2023/09/22"
+integration = ["ded", "endpoint"]
+maturity = "production"
+updated_date = "2025/01/15"
+[rule]
+anomaly_threshold = 75
+author = ["Elastic"]
+description = """
+A machine learning job has detected high bytes of data written to an external device. In a typical operational setting,
+there is usually a predictable pattern or a certain range of data that is written to external devices. An unusually
+large amount of data being written is anomalous and can signal illicit data copying or transfer activities.
+"""
+from = "now-2h"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "ded_high_bytes_written_to_external_device"
+name = "Spike in Bytes Sent to an External Device"
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/ded",
+    "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration",
+]
+risk_score = 21
+rule_id = "35a3b253-eea8-46f0-abd3-68bdd47e6e3d"
+setup = """## Setup
+The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only).
+### Data Exfiltration Detection Setup
+The Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature.
+#### Prerequisite Requirements:
+- Fleet is required for Data Exfiltration Detection.
+- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
+- File events collected by the Elastic Defend integration.
+- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:
+- Go to the Kibana homepage. Under Management, click Integrations.
+- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
+"""
+severity = "low"
+tags = [
+    "Use Case: Data Exfiltration Detection",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+    "Tactic: Exfiltration",
+    "Resources: Investigation Guide",
+]
+type = "machine_learning"
+note = """## Triage and analysis
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+### Investigating Spike in Bytes Sent to an External Device
+The detection rule leverages machine learning to identify anomalies in data transfer patterns to external devices, which typically follow predictable trends. Adversaries may exploit this by transferring large volumes of data to external media for exfiltration. The rule detects deviations from normal behavior, flagging potential illicit data transfers for further investigation.
+### Possible investigation steps
+- Review the alert details to identify the specific external device involved and the volume of data transferred.
+- Correlate the time of the anomaly with user activity logs to determine if the data transfer aligns with any known or authorized user actions.
+- Check historical data transfer patterns for the involved device to assess whether the detected spike is truly anomalous or part of a legitimate operational change.
+- Investigate the user account associated with the data transfer for any signs of compromise or unusual behavior, such as recent password changes or failed login attempts.
+- Examine the content and type of data transferred, if possible, to assess the sensitivity and potential impact of the data exfiltration.
+- Cross-reference the device and user activity with other security alerts or incidents to identify any related suspicious activities or patterns.
+### False positive analysis
+- Regular backups to external devices can trigger false positives. Users should identify and exclude backup operations from the rule's scope by specifying known backup software or devices.
+- Software updates or installations that involve large data transfers to external media may be misclassified. Users can create exceptions for these activities by defining specific update processes or installation paths.
+- Data archiving processes that periodically transfer large volumes of data to external storage can be mistaken for exfiltration. Users should whitelist these scheduled archiving tasks by recognizing the associated patterns or schedules.
+- Media content creation or editing, such as video production, often involves significant data transfers. Users can exclude these activities by identifying and excluding the relevant applications or file types.
+- Temporary data transfers for legitimate business purposes, like transferring project files to a client, can be flagged. Users should document and exclude these known business processes by specifying the involved devices or file types.
+### Response and remediation
+- Immediately isolate the affected device from the network to prevent further data exfiltration.
+- Conduct a forensic analysis of the device to identify the source and scope of the data transfer, focusing on the files transferred and any associated processes or applications.
+- Review and revoke any unnecessary permissions or access rights that may have facilitated the data transfer to the external device.
+- Notify the security operations center (SOC) and relevant stakeholders about the incident for awareness and potential escalation.
+- Implement additional monitoring on similar devices and network segments to detect any further anomalous data transfer activities.
+- Update and enforce data transfer policies to restrict unauthorized use of external devices, ensuring compliance with organizational security standards.
+- Consider deploying endpoint detection and response (EDR) solutions to enhance visibility and control over data movements to external devices."""
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1052"
+name = "Exfiltration Over Physical Medium"
+reference = "https://attack.mitre.org/techniques/T1052/"
+[rule.threat.tactic]
+id = "TA0010"
+name = "Exfiltration"
+reference = "https://attack.mitre.org/tactics/TA0010/"

nldcsc_elastic_rules/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml ADDED Viewed

@@ -0,0 +1,103 @@
+[metadata]
+creation_date = "2023/09/22"
+integration = ["ded", "endpoint"]
+maturity = "production"
+updated_date = "2025/01/15"
+[rule]
+anomaly_threshold = 75
+author = ["Elastic"]
+description = """
+A machine learning job has detected high bytes of data written to an external device via Airdrop. In a typical
+operational setting, there is usually a predictable pattern or a certain range of data that is written to external
+devices. An unusually large amount of data being written is anomalous and can signal illicit data copying or transfer
+activities.
+"""
+from = "now-2h"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "ded_high_bytes_written_to_external_device_airdrop"
+name = "Spike in Bytes Sent to an External Device via Airdrop"
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/ded",
+    "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration",
+]
+risk_score = 21
+rule_id = "e92c99b6-c547-4bb6-b244-2f27394bc849"
+setup = """## Setup
+The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only).
+### Data Exfiltration Detection Setup
+The Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature.
+#### Prerequisite Requirements:
+- Fleet is required for Data Exfiltration Detection.
+- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
+- File events collected by the Elastic Defend integration.
+- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:
+- Go to the Kibana homepage. Under Management, click Integrations.
+- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
+"""
+severity = "low"
+tags = [
+    "Use Case: Data Exfiltration Detection",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+    "Tactic: Exfiltration",
+    "Resources: Investigation Guide",
+]
+type = "machine_learning"
+note = """## Triage and analysis
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+### Investigating Spike in Bytes Sent to an External Device via Airdrop
+Airdrop facilitates seamless file sharing between Apple devices, leveraging Bluetooth and Wi-Fi. While convenient, adversaries can exploit it for unauthorized data exfiltration by transferring large volumes of sensitive data. The detection rule employs machine learning to identify anomalies in data transfer patterns, flagging unusual spikes in bytes sent as potential exfiltration attempts, thus aiding in early threat detection.
+### Possible investigation steps
+- Review the alert details to identify the specific device and user involved in the data transfer. Check for any known associations with previous incidents or suspicious activities.
+- Analyze the volume of data transferred and compare it to typical usage patterns for the device and user. Determine if the spike is significantly higher than usual.
+- Investigate the time and context of the data transfer. Correlate with other logs or alerts to identify any concurrent suspicious activities or anomalies.
+- Check the destination device's details to verify if it is a recognized and authorized device within the organization. Investigate any unknown or unauthorized devices.
+- Contact the user associated with the alert to verify the legitimacy of the data transfer. Gather information on the nature of the files transferred and the purpose of the transfer.
+- Review any recent changes in the user's access privileges or roles that might explain the increased data transfer activity.
+### False positive analysis
+- Regular large file transfers for legitimate business purposes, such as media companies transferring video files, can trigger false positives. Users can create exceptions for specific devices or user accounts known to perform these tasks regularly.
+- Software updates or backups that involve transferring large amounts of data to external devices may be misidentified as exfiltration attempts. Users should whitelist these activities by identifying the associated processes or applications.
+- Educational institutions or creative teams often share large files for collaborative projects. Establishing a baseline for expected data transfer volumes and excluding these from alerts can reduce false positives.
+- Devices used for testing or development purposes might frequently send large data volumes. Users can exclude these devices from monitoring by adding them to an exception list.
+- Personal use of Airdrop for transferring large media files, such as photos or videos, can be mistaken for suspicious activity. Users can mitigate this by setting thresholds that account for typical personal use patterns.
+### Response and remediation
+- Immediately isolate the affected device from the network to prevent further data exfiltration.
+- Verify the identity and permissions of the user associated with the anomalous Airdrop activity to ensure they are authorized to transfer data.
+- Conduct a forensic analysis of the device to identify any unauthorized applications or processes that may have facilitated the data transfer.
+- Review and revoke any unnecessary permissions or access rights for the user or device involved in the incident.
+- Escalate the incident to the security operations center (SOC) for further investigation and to determine if the activity is part of a larger threat campaign.
+- Implement additional monitoring on the affected device and similar devices to detect any further anomalous Airdrop activities.
+- Update security policies and controls to restrict Airdrop usage to only trusted devices and networks, reducing the risk of future unauthorized data transfers."""
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1011"
+name = "Exfiltration Over Other Network Medium"
+reference = "https://attack.mitre.org/techniques/T1011/"
+[rule.threat.tactic]
+id = "TA0010"
+name = "Exfiltration"
+reference = "https://attack.mitre.org/tactics/TA0010/"

nldcsc_elastic_rules/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml ADDED Viewed

@@ -0,0 +1,102 @@
+[metadata]
+creation_date = "2023/09/22"
+integration = ["ded", "endpoint"]
+maturity = "production"
+updated_date = "2025/01/15"
+[rule]
+anomaly_threshold = 75
+author = ["Elastic"]
+description = """
+A machine learning job has detected a rare process writing data to an external device. Malicious actors often use
+benign-looking processes to mask their data exfiltration activities. The discovery of such a process that has no
+legitimate reason to write data to external devices can indicate exfiltration.
+"""
+from = "now-2h"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "ded_rare_process_writing_to_external_device"
+name = "Unusual Process Writing Data to an External Device"
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/ded",
+    "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration",
+]
+risk_score = 21
+rule_id = "4b95ecea-7225-4690-9938-2a2c0bad9c99"
+setup = """## Setup
+The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only).
+### Data Exfiltration Detection Setup
+The Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature.
+#### Prerequisite Requirements:
+- Fleet is required for Data Exfiltration Detection.
+- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
+- File events collected by the Elastic Defend integration.
+- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:
+- Go to the Kibana homepage. Under Management, click Integrations.
+- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
+"""
+severity = "low"
+tags = [
+    "Use Case: Data Exfiltration Detection",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+    "Tactic: Exfiltration",
+    "Resources: Investigation Guide",
+]
+type = "machine_learning"
+note = """## Triage and analysis
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+### Investigating Unusual Process Writing Data to an External Device
+In modern environments, processes may write data to external devices for legitimate reasons, such as backups or data transfers. However, adversaries can exploit this by using seemingly harmless processes to exfiltrate sensitive data. The detection rule leverages machine learning to identify rare processes engaging in such activities, flagging potential exfiltration attempts by analyzing deviations from typical behavior patterns.
+### Possible investigation steps
+- Review the process name and path to determine if it is commonly associated with legitimate activities or known software.
+- Check the user account associated with the process to verify if it has the necessary permissions and if the activity aligns with the user's typical behavior.
+- Analyze the external device's details, such as its type and connection history, to assess if it is a recognized and authorized device within the organization.
+- Investigate the volume and type of data being written to the external device to identify any sensitive or unusual data transfers.
+- Correlate the process activity with other security events or logs to identify any concurrent suspicious activities or anomalies.
+- Consult with the user or department associated with the process to confirm if the data transfer was authorized and necessary.
+### False positive analysis
+- Backup processes may trigger alerts when writing data to external devices. Users should identify and whitelist legitimate backup applications to prevent false positives.
+- Data transfer applications used for legitimate business purposes can be flagged. Regularly review and approve these applications to ensure they are not mistakenly identified as threats.
+- Software updates or installations that involve writing data to external devices might be detected. Establish a list of known update processes and exclude them from triggering alerts.
+- IT maintenance activities, such as system diagnostics or hardware testing, can cause false positives. Document and exclude these routine processes to avoid unnecessary alerts.
+- User-initiated file transfers for legitimate reasons, such as moving large datasets for analysis, should be monitored and approved to prevent misclassification.
+### Response and remediation
+- Immediately isolate the affected system from the network to prevent further data exfiltration and contain the threat.
+- Identify and terminate the suspicious process writing data to the external device to stop any ongoing exfiltration activities.
+- Conduct a forensic analysis of the affected system to determine the scope of the data exfiltration, including what data was accessed or transferred.
+- Review and revoke any compromised credentials or access permissions associated with the affected process to prevent unauthorized access.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
+- Implement additional monitoring on the affected system and similar environments to detect any recurrence of the threat or related suspicious activities.
+- Update security policies and controls to prevent similar exfiltration attempts, such as restricting process permissions to write to external devices and enhancing endpoint protection measures."""
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1052"
+name = "Exfiltration Over Physical Medium"
+reference = "https://attack.mitre.org/techniques/T1052/"
+[rule.threat.tactic]
+id = "TA0010"
+name = "Exfiltration"
+reference = "https://attack.mitre.org/tactics/TA0010/"

nldcsc_elastic_rules/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml ADDED Viewed

@@ -0,0 +1,117 @@
+[metadata]
+creation_date = "2023/09/14"
+integration = ["dga", "endpoint", "network_traffic"]
+maturity = "production"
+updated_date = "2025/04/22"
+[rule]
+author = ["Elastic"]
+description = """
+A supervised machine learning model has identified a DNS question name that used by the SUNBURST malware and is
+predicted to be the result of a Domain Generation Algorithm.
+"""
+from = "now-10m"
+index = ["logs-endpoint.events.*", "logs-network_traffic.*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Machine Learning Detected DGA activity using a known SUNBURST DNS domain"
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/dga",
+    "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration",
+]
+risk_score = 73
+rule_id = "bcaa15ce-2d41-44d7-a322-918f9db77766"
+setup = """## Setup
+The rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat.
+### DGA Detection Setup
+The DGA Detection integration consists of an ML-based framework to detect DGA activity in DNS events.
+#### Prerequisite Requirements:
+- Fleet is required for DGA Detection.
+- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
+- DNS events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint), [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration, or [Packetbeat](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-overview.html).
+- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
+- To set up and run Packetbeat, follow [this](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html) guide.
+#### The following steps should be executed to install assets associated with the DGA Detection integration:
+- Go to the Kibana homepage. Under Management, click Integrations.
+- In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Configure the ingest pipeline**.
+"""
+severity = "high"
+tags = [
+    "Domain: Network",
+    "Domain: Endpoint",
+    "Data Source: Elastic Defend",
+    "Use Case: Domain Generation Algorithm Detection",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+    "Tactic: Command and Control",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "query"
+query = '''
+ml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.com
+'''
+note = """## Triage and analysis
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+### Investigating Machine Learning Detected DGA activity using a known SUNBURST DNS domain
+Domain Generation Algorithms (DGAs) are used by adversaries to dynamically generate domain names for command and control (C2) communication, making it difficult to block malicious domains. The SUNBURST malware utilized such techniques. The detection rule leverages machine learning to identify DNS queries linked to these generated domains, specifically targeting those associated with SUNBURST, by analyzing patterns and predicting malicious activity, thus aiding in early threat detection and mitigation.
+### Possible investigation steps
+- Review the DNS logs to identify the source IP address associated with the DNS query for avsvmcloud.com to determine the affected host within the network.
+- Check historical DNS query logs for the identified host to see if there are additional queries to other suspicious or known malicious domains, indicating further compromise.
+- Investigate the network traffic from the identified host around the time of the alert to detect any unusual patterns or connections to external IP addresses that may suggest command and control activity.
+- Examine endpoint security logs and alerts for the affected host to identify any signs of SUNBURST malware or other related malicious activity.
+- Correlate the alert with other security events in the environment to determine if there are any related incidents or patterns that could indicate a broader attack campaign.
+- Assess the risk and impact of the detected activity on the organization and determine if immediate containment or remediation actions are necessary.
+### False positive analysis
+- Legitimate software updates or network services may occasionally use domain generation algorithms for load balancing or redundancy, leading to false positives. Users should monitor and whitelist these known benign services.
+- Internal testing environments or security tools that simulate DGA behavior for research or training purposes might trigger alerts. Exclude these environments by adding them to an exception list.
+- Some cloud services might use dynamic DNS techniques that resemble DGA patterns. Identify and document these services, then configure exceptions to prevent unnecessary alerts.
+- Frequent legitimate access to avsvmcloud.com by security researchers or analysts could be misclassified. Ensure these activities are logged and reviewed, and create exceptions for known research IPs or user accounts.
+- Regularly review and update the exception list to ensure it reflects current network behavior and does not inadvertently allow new threats.
+### Response and remediation
+- Isolate the affected systems immediately to prevent further communication with the malicious domain avsvmcloud.com and halt potential data exfiltration or lateral movement.
+- Conduct a thorough scan of the isolated systems using updated antivirus and anti-malware tools to identify and remove any SUNBURST malware or related malicious files.
+- Review and block any outbound traffic to the domain avsvmcloud.com at the network perimeter to prevent future connections from other potentially compromised systems.
+- Analyze network logs and DNS query records to identify any other systems that may have communicated with the domain, and apply the same isolation and scanning procedures to those systems.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the full scope of the compromise.
+- Implement enhanced monitoring and alerting for any DNS queries or network traffic patterns indicative of DGA activity, particularly those resembling SUNBURST characteristics, to detect and respond to similar threats promptly.
+- Review and update incident response and recovery plans to incorporate lessons learned from this incident, ensuring faster and more effective responses to future threats."""
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1568"
+name = "Dynamic Resolution"
+reference = "https://attack.mitre.org/techniques/T1568/"
+[[rule.threat.technique.subtechnique]]
+id = "T1568.002"
+name = "Domain Generation Algorithms"
+reference = "https://attack.mitre.org/techniques/T1568/002/"
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"