forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
command_and_control_ml_packetbeat_rare_user_agent.toml
57 lines (50 loc) · 2.2 KB
/
command_and_control_ml_packetbeat_rare_user_agent.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
[metadata]
creation_date = "2020/03/25"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
[rule]
anomaly_threshold = 50
author = ["Elastic"]
description = """
A machine learning job detected a rare and unusual user agent indicating web browsing activity by an unusual process
other than a web browser. This can be due to persistence, command-and-control, or exfiltration activity. Uncommon user
agents coming from remote sources to local destinations are often the result of scanners, bots, and web scrapers, which
are part of common Internet background traffic. Much of this is noise, but more targeted attacks on websites using tools
like Burp or SQLmap can sometimes be discovered by spotting uncommon user agents. Uncommon user agents in traffic from
local sources to remote destinations can be any number of things, including harmless programs like weather monitoring or
stock-trading programs. However, uncommon user agents from local sources can also be due to malware or scanning
activity.
"""
false_positives = [
"""
Web activity that is uncommon, like security scans, may trigger this alert and may need to be excluded. A new or
rarely used program that calls web services may trigger this alert.
""",
]
from = "now-45m"
interval = "15m"
license = "Elastic License v2"
machine_learning_job_id = "packetbeat_rare_user_agent"
name = "Unusual Web User Agent"
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "91f02f01-969f-4167-8d77-07827ac4cee0"
severity = "low"
tags = ["Elastic", "Network", "Threat Detection", "ML", "Machine Learning", "Command and Control"]
type = "machine_learning"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"
[[rule.threat.technique.subtechnique]]
id = "T1071.001"
name = "Web Protocols"
reference = "https://attack.mitre.org/techniques/T1071/001/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"