SIEM

edit

These anomaly detection jobs appear by default in the Anomaly Detection interface of the SIEM app in Kibana. They help you automatically detect file system and network anomalies on your hosts. The list below contains the jobs organized by agent.type (Auditbeat, Packetbeat, and Winlogbeat).

SIEM - Auditbeat

edit
linux_anomalous_network_activity_ecs
  • For network activity logs where agent.type is auditbeat.
  • Models the occurrences of processes that cause network activity.
  • Detects network activity caused by processes that occur rarely compared to other processes (using the rare function).

Looks for unusual processes using the network which could indicate command-and-control, lateral movement, persistence, or data exfiltration activity.

linux_anomalous_network_port_activity_ecs
  • For network activity logs where agent.type is auditbeat.
  • Models destination port activity.
  • Detects destination port activity that occurs rarely compared to other port activities (using the rare function).

Looks for unusual destination port activity that could indicate command-and-control, persistence mechanism, or data exfiltration activity.

linux_anomalous_network_service
  • For network activity logs where agent.type is auditbeat.
  • Models listening port activity.
  • Detects unusual listening port activity that occurs rarely compared to other port activities (using the rare function).

Looks for unusual listening ports that could indicate execution of unauthorized services, backdoors, or persistence mechanisms.

linux_anomalous_network_url_activity_ecs
  • For network activity logs where agent.type is auditbeat.
  • Models the occurrences of URL requests.
  • Detects unusual web URL request that is rare compared to other web URL requests (using the rare function).

Looks for an unusual web URL request from a Linux instance. Curl and wget web request activity is very common but unusual web requests from a Linux server can sometimes be malware delivery or execution.

linux_anomalous_process_all_hosts_ecs
  • For host activity logs where agent.type is auditbeat.
  • Models the occurrences of processes on all hosts.
  • Detects processes that occur rarely compared to other processes to all Linux/Windows hosts (using the rare function).

Looks for processes that are unusual to all Linux hosts. Such unusual processes may indicate unauthorized services, malware, or persistence mechanisms.

linux_anomalous_user_name_ecs
  • For host activity logs where agent.type is auditbeat.
  • Models user activity.
  • Detects users that are rarely or unusually active compared to other users (using the rare function).

Rare and unusual users that are not normally active may indicate unauthorized changes or activity by an unauthorized user which may be credentialed access or lateral movement.

rare_process_by_host_linux_ecs
  • For host activity logs where agent.type is auditbeat.
  • Models occurrences of process activities on the host.
  • Detect unusually rare processes compared to other processes on Linux (using the rare function).
suspicious_login_activity_ecs
  • For host activity logs where agent.type is auditbeat.
  • Models occurrences of authentication attempts (partition_field_name is host.name).
  • Detects unusually high number of authentication attempts (using the high_non_zero_count function).

SIEM - Packetbeat

edit
packetbeat_dns_tunneling
  • For network activity logs where agent.type is packetbeat.
  • Models occurrances of DNS activity.
  • Detects unusual DNS activity (using the high_info_content function).

Looks for unusual DNS activity that could indicate command-and-control or data exfiltration activity.

packetbeat_rare_dns_question
  • For network activity logs where agent.type is packetbeat.
  • Models occurrences of DNS activity.
  • Detects DNS activity that is rare compared to other DNS activities (using the rare function).

Looks for unusual DNS activity that could indicate command-and-control activity.

packetbeat_rare_server_domain
  • For network activity logs where agent.type is packetbeat.
  • Models HTTP or TLS domain activity.
  • Detects HTTP or TLS domain activity that is rarely occurs compared to other activities (using the rare function).

Looks for unusual HTTP or TLS destination domain activity that could indicate execution, persistence, command-and-control or data exfiltration activity.

packetbeat_rare_urls
  • For network activity logs where agent.type is packetbeat.
  • Models occurrences of web browsing URL activity.
  • Detects URL activity that rarely occurs compared to other URL activities (using the rare function).

Looks for unusual web browsing URL activity that could indicate execution, persistence, command-and-control or data exfiltration activity.

packetbeat_rare_user_agent
  • For network activity logs where agent.type is packetbeat.
  • Models occurrences of HTTP user agent activity.
  • Detects HTTP user agent activity that occurs rarely compared to other HTTP user agent activities (using the rare function).

Looks for unusual HTTP user agent activity that could indicate execution, persistence, command-and-control or data exfiltration activity.

SIEM - Winlogbeat

edit
windows_anomalous_network_activity_ecs
  • For network activity logs where agent.type is winlogbeat.
  • Models the occurrences of processes that cause network activity.
  • Detects network activity caused by processes that occur rarely compared to other processes (using the rare function).

Looks for unusual processes using the network which could indicate command-and-control, lateral movement, persistence, or data exfiltration activity.

windows_anomalous_process_all_hosts_ecs
  • For host activity logs where agent.type is winlogbeat.
  • Models the occurrences of processes on all hosts.
  • Detects processes that occur rarely compared to other processes to all Linux/Windows hosts (using the rare function).

Looks for processes that are unusual to all Windows hosts. Such unusual processes may indicate unauthorized services, malware, or persistence mechanisms.

windows_anomalous_user_name_ecs
  • For host activity logs where agent.type is winlogbeat.
  • Models user activity.
  • Detects users that are rarely or unusually active compared to other users (using the rare function).

Rare and unusual users that are not normally active may indicate unauthorized changes or activity by an unauthorized user which may be credentialed access or lateral movement.

rare_process_by_host_windows_ecs
  • For host activity logs where agent.type is winlogbeat.
  • Models occurrences of process activities on the host.
  • Detect unusually rare processes compared to other processes on Windows (using the rare function).
windows_anomalous_path_activity_ecs
  • For host activity logs where agent.type is winlogbeat.
  • Models occurrences of processes in paths.
  • Detects activity in unusual paths (using the rare function).

Activities in unusual paths may indicate execution of malware or persistence mechanisms. Windows payloads often execute from user profile paths.

windows_anomalous_process_creation
  • For host activity logs where agent.type is winlogbeat.
  • Models occurrences of process creation activities (partition_field_name is process.parent.name).
  • Detects process relationships that are rare compared to other process relationships (using the rare function).

Looks for unusual process relationships which may indicate execution of malware or persistence mechanisms.

windows_anomalous_script
  • For host activity logs where agent.type is winlogbeat.
  • Models occurrences of powershell script activities.
  • Detects unusual powershell script execution compared to other powershell script activities (using the high_info_content function).

Looks for unusual powershell scripts that may indicate execution of malware, or persistence mechanisms.

windows_anomalous_service
  • For host activity logs where agent.type is winlogbeat.
  • Models occurrences of Windows service activities.
  • Detects Windows service activities that occur rarely compared to other Windows service activities (using the rare function).

Looks for rare and unusual Windows services which may indicate execution of unauthorized services, malware, or persistence mechanisms.

windows_rare_user_runas_event
  • For host activity logs where agent.type is winlogbeat.
  • Models occurrences of user context switches.
  • Detects user context switches that occur rarely compared to other user context switches (using the rare function).

Unusual user context switches can be due to privilege escalation.

windows_rare_user_type10_remote_login
  • For host activity logs where agent.type is winlogbeat.
  • Models occurrences of user remote login activities.
  • Detects user remote login activities that occur rarely compared to other user remote login activities (using the rare function).

Looks for unusual user remote logins. Unusual RDP (remote desktop protocol) user logins can indicate account takeover or credentialed access.