SIEM
editSIEM
editThese anomaly detection jobs appear by default in the Anomaly Detection interface of the
SIEM app in Kibana. They help you
automatically detect file system and network anomalies on your hosts. The list
below contains the jobs organized by agent.type
(Auditbeat, Packetbeat, and
Winlogbeat).
SIEM - Auditbeat
edit- linux_anomalous_network_activity_ecs
-
-
For network activity logs where
agent.type
isauditbeat
. - Models the occurrences of processes that cause network activity.
-
Detects network activity caused by processes that occur rarely compared to
other processes (using the
rare
function).
-
For network activity logs where
Looks for unusual processes using the network which could indicate command-and-control, lateral movement, persistence, or data exfiltration activity.
- linux_anomalous_network_port_activity_ecs
-
-
For network activity logs where
agent.type
isauditbeat
. - Models destination port activity.
-
Detects destination port activity that occurs rarely compared to other port
activities (using the
rare
function).
-
For network activity logs where
Looks for unusual destination port activity that could indicate command-and-control, persistence mechanism, or data exfiltration activity.
- linux_anomalous_network_service
-
-
For network activity logs where
agent.type
isauditbeat
. - Models listening port activity.
-
Detects unusual listening port activity that occurs rarely compared to
other port activities (using the
rare
function).
-
For network activity logs where
Looks for unusual listening ports that could indicate execution of unauthorized services, backdoors, or persistence mechanisms.
- linux_anomalous_network_url_activity_ecs
-
-
For network activity logs where
agent.type
isauditbeat
. - Models the occurrences of URL requests.
-
Detects unusual web URL request that is rare compared to other web URL
requests (using the
rare
function).
-
For network activity logs where
Looks for an unusual web URL request from a Linux instance. Curl and wget web request activity is very common but unusual web requests from a Linux server can sometimes be malware delivery or execution.
- linux_anomalous_process_all_hosts_ecs
-
-
For host activity logs where
agent.type
isauditbeat
. - Models the occurrences of processes on all hosts.
-
Detects processes that occur rarely compared to other processes to all
Linux/Windows hosts (using the
rare
function).
-
For host activity logs where
Looks for processes that are unusual to all Linux hosts. Such unusual processes may indicate unauthorized services, malware, or persistence mechanisms.
- linux_anomalous_user_name_ecs
-
-
For host activity logs where
agent.type
isauditbeat
. - Models user activity.
-
Detects users that are rarely or unusually active compared to other users
(using the
rare
function).
-
For host activity logs where
Rare and unusual users that are not normally active may indicate unauthorized changes or activity by an unauthorized user which may be credentialed access or lateral movement.
- rare_process_by_host_linux_ecs
-
-
For host activity logs where
agent.type
isauditbeat
. - Models occurrences of process activities on the host.
-
Detect unusually rare processes compared to other processes on Linux (using
the
rare
function).
-
For host activity logs where
- suspicious_login_activity_ecs
-
-
For host activity logs where
agent.type
isauditbeat
. -
Models occurrences of authentication attempts (
partition_field_name
ishost.name
). -
Detects unusually high number of authentication attempts (using the
high_non_zero_count
function).
-
For host activity logs where
SIEM - Packetbeat
edit- packetbeat_dns_tunneling
-
-
For network activity logs where
agent.type
ispacketbeat
. - Models occurrances of DNS activity.
-
Detects unusual DNS activity (using the
high_info_content
function).
-
For network activity logs where
Looks for unusual DNS activity that could indicate command-and-control or data exfiltration activity.
- packetbeat_rare_dns_question
-
-
For network activity logs where
agent.type
ispacketbeat
. - Models occurrences of DNS activity.
-
Detects DNS activity that is rare compared to other DNS activities (using the
rare
function).
-
For network activity logs where
Looks for unusual DNS activity that could indicate command-and-control activity.
- packetbeat_rare_server_domain
-
-
For network activity logs where
agent.type
ispacketbeat
. - Models HTTP or TLS domain activity.
-
Detects HTTP or TLS domain activity that is rarely occurs compared to other
activities (using the
rare
function).
-
For network activity logs where
Looks for unusual HTTP or TLS destination domain activity that could indicate execution, persistence, command-and-control or data exfiltration activity.
- packetbeat_rare_urls
-
-
For network activity logs where
agent.type
ispacketbeat
. - Models occurrences of web browsing URL activity.
-
Detects URL activity that rarely occurs compared to other URL activities
(using the
rare
function).
-
For network activity logs where
Looks for unusual web browsing URL activity that could indicate execution, persistence, command-and-control or data exfiltration activity.
- packetbeat_rare_user_agent
-
-
For network activity logs where
agent.type
ispacketbeat
. - Models occurrences of HTTP user agent activity.
-
Detects HTTP user agent activity that occurs rarely compared to other HTTP
user agent activities (using the
rare
function).
-
For network activity logs where
Looks for unusual HTTP user agent activity that could indicate execution, persistence, command-and-control or data exfiltration activity.
SIEM - Winlogbeat
edit- windows_anomalous_network_activity_ecs
-
-
For network activity logs where
agent.type
iswinlogbeat
. - Models the occurrences of processes that cause network activity.
-
Detects network activity caused by processes that occur rarely compared to
other processes (using the
rare
function).
-
For network activity logs where
Looks for unusual processes using the network which could indicate command-and-control, lateral movement, persistence, or data exfiltration activity.
- windows_anomalous_process_all_hosts_ecs
-
-
For host activity logs where
agent.type
iswinlogbeat
. - Models the occurrences of processes on all hosts.
-
Detects processes that occur rarely compared to other processes to all
Linux/Windows hosts (using the
rare
function).
-
For host activity logs where
Looks for processes that are unusual to all Windows hosts. Such unusual processes may indicate unauthorized services, malware, or persistence mechanisms.
- windows_anomalous_user_name_ecs
-
-
For host activity logs where
agent.type
iswinlogbeat
. - Models user activity.
-
Detects users that are rarely or unusually active compared to other users
(using the
rare
function).
-
For host activity logs where
Rare and unusual users that are not normally active may indicate unauthorized changes or activity by an unauthorized user which may be credentialed access or lateral movement.
- rare_process_by_host_windows_ecs
-
-
For host activity logs where
agent.type
iswinlogbeat
. - Models occurrences of process activities on the host.
-
Detect unusually rare processes compared to other processes on Windows (using
the
rare
function).
-
For host activity logs where
- windows_anomalous_path_activity_ecs
-
-
For host activity logs where
agent.type
iswinlogbeat
. - Models occurrences of processes in paths.
-
Detects activity in unusual paths (using the
rare
function).
-
For host activity logs where
Activities in unusual paths may indicate execution of malware or persistence mechanisms. Windows payloads often execute from user profile paths.
- windows_anomalous_process_creation
-
-
For host activity logs where
agent.type
iswinlogbeat
. -
Models occurrences of process creation activities (
partition_field_name
isprocess.parent.name
). -
Detects process relationships that are rare compared to other process
relationships (using the
rare
function).
-
For host activity logs where
Looks for unusual process relationships which may indicate execution of malware or persistence mechanisms.
- windows_anomalous_script
-
-
For host activity logs where
agent.type
iswinlogbeat
. - Models occurrences of powershell script activities.
-
Detects unusual powershell script execution compared to other powershell
script activities (using the
high_info_content
function).
-
For host activity logs where
Looks for unusual powershell scripts that may indicate execution of malware, or persistence mechanisms.
- windows_anomalous_service
-
-
For host activity logs where
agent.type
iswinlogbeat
. - Models occurrences of Windows service activities.
-
Detects Windows service activities that occur rarely compared to other Windows
service activities (using the
rare
function).
-
For host activity logs where
Looks for rare and unusual Windows services which may indicate execution of unauthorized services, malware, or persistence mechanisms.
- windows_rare_user_runas_event
-
-
For host activity logs where
agent.type
iswinlogbeat
. - Models occurrences of user context switches.
-
Detects user context switches that occur rarely compared to other user context
switches (using the
rare
function).
-
For host activity logs where
Unusual user context switches can be due to privilege escalation.
- windows_rare_user_type10_remote_login
-
-
For host activity logs where
agent.type
iswinlogbeat
. - Models occurrences of user remote login activities.
-
Detects user remote login activities that occur rarely compared to other
user remote login activities (using the
rare
function).
-
For host activity logs where
Looks for unusual user remote logins. Unusual RDP (remote desktop protocol) user logins can indicate account takeover or credentialed access.