创建规则
编辑创建规则
编辑当与 API 密钥身份验证一起使用时,用户的密钥将被分配给受影响的规则。如果用户的密钥被删除或用户变为非活动状态,则规则将停止运行。
如果用于授权的 API 密钥与创建或最近更新规则的密钥具有不同的权限,则规则行为可能会发生变化。
创建一个新的检测规则。
您可以创建以下类型的规则
- 自定义查询:搜索定义的索引,并在文档匹配规则的 KQL 查询时创建警报。
- 事件关联:搜索定义的索引,并在结果匹配 事件查询语言 (EQL) 查询时创建警报。
-
阈值:搜索定义的索引,并在单个执行期间,指定字段的值满足阈值时创建警报。当有多个值满足阈值时,将为每个值生成警报。
例如,如果阈值
field是source.ip,并且其value是10,则对于在规则的搜索结果中至少出现 10 次的每个源 IP 地址,都会生成一个警报。如果您有兴趣,请参阅 词项聚合了解更多信息。 -
指标匹配:当字段匹配指定的 Elasticsearch 索引中定义的值时创建警报。例如,您可以为 IP 地址创建一个索引,并使用此索引在事件的
destination.ip等于索引中的值时创建警报。索引的字段映射应符合 ECS。 - 新词项:为指定时间范围内源文档中检测到的每个新词项生成警报。
- ES|QL:使用 Elasticsearch 查询语言 (ES|QL) 来查找事件并聚合搜索结果。
- 机器学习规则:当机器学习作业发现高于定义的阈值的异常时创建警报(请参阅 异常检测)。
要检索创建机器学习作业所需的机器学习作业 ID,请调用 Elasticsearch 获取作业 API。在 groups 字段中包含 siem 的机器学习作业可用于创建规则
... "job_id": "linux_anomalous_network_activity_ecs", "job_type": "anomaly_detector", "job_version": "7.7.0", "groups": [ "auditbeat", "process", "siem" ], ...
此外,您可以为规则创建警报时设置通知。通知使用 Kibana 警报和操作框架。每种操作类型都需要一个连接器。连接器存储通过外部系统发送通知所需的信息。规则通知支持以下连接器类型
- Slack
- 电子邮件
- PagerDuty
- Webhook
- Microsoft Teams
- IBM Resilient
- Jira
- ServiceNow ITSM
有关 PagerDuty 字段的更多信息,请参阅 发送 v2 事件。
要检索配置规则通知所需的连接器 ID,请使用请求有效负载中的 "type": "action" 调用 Kibana 查找对象 API。
有关 Kibana 操作和警报的详细信息,以及其他 API 调用,请参阅
请求 URL
编辑POST <kibana host>:<port>/api/detection_engine/rules
请求正文
编辑一个定义规则值的 JSON 对象
所有规则类型所需的字段
编辑| 名称 | 类型 | 描述 |
|---|---|---|
description |
字符串 |
规则的描述。 |
name |
字符串 |
规则的名称。 |
risk_score |
整数 |
警报严重性的数值表示,从 0 到 100,其中
|
severity |
字符串 |
规则产生的警报的严重程度级别,必须是以下之一
|
type |
字符串 |
规则所基于的数据类型
|
查询、指标匹配、阈值、新词项、事件关联和 ES|QL 规则所需的字段
编辑| 名称 | 类型 | 描述 |
|---|---|---|
query |
字符串 |
规则用来创建警报的 查询。
|
阈值规则所需的字段
编辑| 名称 | 类型 | 描述 |
|---|---|---|
threshold |
对象 |
定义生成警报时的字段和阈值,其中
|
保存的查询规则所需的字段
编辑| 名称 | 类型 | 描述 |
|---|---|---|
saved_id |
字符串 |
规则用来创建警报的 Kibana 保存的搜索。 |
事件关联规则所需的字段
编辑| 名称 | 类型 | 描述 |
|---|---|---|
language |
字符串 |
必须是 |
ES|QL 规则所需的字段
编辑| 名称 | 类型 | 描述 |
|---|---|---|
language |
字符串 |
必须是 |
机器学习规则所需的字段
编辑| 名称 | 类型 | 描述 |
|---|---|---|
anomaly_threshold |
整数 |
异常分数阈值,高于该阈值规则会创建警报。有效值范围为 |
machine_learning_job_id |
字符串[] |
规则监视异常分数的机器学习作业 ID。 |
指标匹配规则所需的字段
编辑| 名称 | 类型 | 描述 |
|---|---|---|
threat_index |
字符串[] |
用于检查哪些字段值生成警报的 Elasticsearch 索引。 |
threat_query |
字符串 |
用于确定 Elasticsearch 索引中的哪些字段用于生成警报的查询。 |
threat_mapping |
对象[] |
定义源事件字段和 Elasticsearch 威胁索引中的值之间的映射的
您可以使用布尔逻辑 |
新术语规则的必填字段
编辑| 名称 | 类型 | 描述 |
|---|---|---|
new_terms_fields |
字符串[] |
要监视新值的字段。必须包含 1-3 个字段名称。 |
history_window_start |
字符串 |
检查术语是否之前出现过的起始日期。支持相对日期 - 例如, |
所有规则类型的可选字段
编辑| 名称 | 类型 | 描述 |
|---|---|---|
actions |
定义生成警报时采取的自动化操作(通知)的数组。 |
|
author |
字符串[] |
规则的作者。 |
building_block_type |
字符串 |
确定规则是否充当构建块。默认情况下,构建块警报不会在 UI 中显示。这些规则用作生成警报的其他规则的基础。其值必须为 |
enabled |
布尔值 |
确定是否启用规则。默认为 |
false_positives |
字符串[] |
用于描述规则可能发出误报警报的常见原因的字符串数组。默认为空数组。 |
from |
字符串 |
每次规则执行时分析数据的起始时间,使用日期数学范围。例如, |
interval |
字符串 |
规则执行的频率,使用日期数学范围。例如, |
license |
字符串 |
规则的许可证。 |
max_signals |
整数 |
规则在单次运行期间可以创建的最大警报数(规则的每次运行的最大警报数高级设置值)。默认为 此设置可以被Kibana 配置设置 |
meta |
对象 |
规则元数据的占位符。 注意:当您保存对规则设置的更改时,此字段将被覆盖。 |
note |
字符串 |
帮助调查规则产生的警报的说明。 |
references |
字符串[] |
包含有关规则的相关信息的注释或引用的数组。默认为空数组。 |
required_fields |
对象[] |
规则要正常运行所需的 Elasticsearch 字段及其类型。该对象具有以下字段
注意: |
rule_id |
字符串 |
用于标识规则的唯一 ID。例如,当规则从第三方安全解决方案转换而来时。如果未提供,则自动创建。 |
setup |
字符串 |
使用规则先决条件的说明填充规则的设置指南,例如所需的集成、配置步骤以及规则正常工作所需的任何其他内容。 |
tags |
字符串[] |
包含用于帮助分类、筛选和搜索规则的词语和短语的字符串数组。默认为空数组。 |
threat |
包含有关规则监视的威胁类型的攻击信息的对象,请参阅ECS 威胁字段。默认为空数组。 |
|
throttle |
字符串 |
确定执行操作的频率 规则级别的 在 Elastic Security 8.8 及更高版本中,您可以使用 (
当使用 |
version |
整数 |
规则的版本号。默认为 |
investigation_fields |
对象 |
为个性化警报调查流程指定突出显示的字段
|
related_integrations |
对象[] |
规则依赖的Elastic 集成。该对象具有以下字段
|
指示器匹配规则的可选字段
编辑| 名称 | 类型 | 描述 |
|---|---|---|
threat_filters |
对象[] |
查询和过滤器上下文数组,用于筛选来自包含威胁值的 Elasticsearch 索引的文档。 |
threat_indicator_path |
字符串 |
与摄取处理器非常相似,用户可以使用此字段来定义威胁指示器在其指示器文档中的位置。默认为 |
查询、指示器匹配、阈值和新术语规则的可选字段
编辑| 名称 | 类型 | 描述 |
|---|---|---|
language |
字符串 |
确定查询语言,必须为 |
事件关联、查询、阈值、指示器匹配、新术语和 ES|QL 规则的可选字段
编辑| 名称 | 类型 | 描述 |
|---|---|---|
filters |
对象[] |
用于定义从事件创建警报的条件的查询和过滤器上下文数组。默认为空数组。 ES|QL 规则不支持此字段。 |
index |
字符串[] |
规则在其上运行的索引。默认为 Kibana 高级设置页面上定义的 Security Solution 索引(Kibana → 堆栈管理 → 高级设置 → ES|QL 规则不支持此字段。 |
risk_score_mapping |
对象[] |
使用源事件中的值覆盖生成的警报的
|
rule_name_override |
字符串 |
设置源事件中用于填充警报的 |
severity_mapping |
对象[] |
使用源事件中的值覆盖生成的警报的
|
timestamp_override |
字符串 |
设置用于查询索引的时间字段。未指定时,规则查询 |
exceptions_list |
对象[] |
异常容器的数组,这些容器定义了即使满足其他条件也阻止规则生成警报的异常。该对象具有以下字段
|
事件关联规则的可选字段
编辑| 名称 | 类型 | 描述 |
|---|---|---|
event_category_field |
字符串 |
包含事件分类,例如 |
tiebreaker_field |
字符串 |
如果事件的时间戳相同,则设置一个辅助字段来对事件进行排序(按升序、词典顺序)。 |
timestamp_field |
字符串 |
包含用于对事件序列进行排序的事件时间戳。这与 |
查询、指示器匹配、阈值、事件关联(仅限非序列查询)、新术语、ES|QL 和机器学习规则的可选警报抑制字段
编辑事件关联规则的警报抑制功能目前处于技术预览阶段。该功能可能会在未来的版本中更改或删除。Elastic 将努力解决任何问题,但技术预览中的功能不受官方 GA 功能的支持 SLA 约束。
查询、指示器匹配、事件关联(仅限非序列查询)、新术语、ES|QL 和机器学习规则
编辑| 名称 | 类型 | 描述 |
|---|---|---|
alert_suppression |
对象 |
定义警报抑制配置。可用字段
|
actions 模式
编辑所有字段均为必填
| 名称 | 类型 | 描述 |
|---|---|---|
action_type_id |
字符串 |
用于发送通知的连接器类型,可以是
|
group |
字符串 |
可以选择按用例对操作进行分组。对警报通知使用 |
id |
字符串 |
连接器 ID。 |
params |
对象 |
包含允许的连接器字段的对象,该字段根据连接器类型而变化
|
可选的 action 字段
编辑| 名称 | 类型 | 描述 |
|---|---|---|
frequency |
字符串 |
包含操作频率的对象
|
alerts_filter |
对象 |
包含操作的条件过滤器的对象
|
警报通知占位符
编辑您可以使用 mustache 语法将变量添加到通知消息中。您选择的操作频率决定了您可以从中选择的变量。
以下变量可以传递给所有规则
请参阅 操作频率:警报摘要,了解如果规则的操作频率为 警报摘要 时可以传递的其他变量。
-
{{context.alerts}}: 检测到的警报数组 -
{{{context.results_link}}}: Kibana 中警报的 URL -
{{context.rule.anomaly_threshold}}: 生成警报的异常阈值分数(仅限机器学习规则) -
{{context.rule.description}}: 规则描述 -
{{context.rule.false_positives}}: 规则误报 -
{{context.rule.filters}}: 规则过滤器(仅限查询规则) -
{{context.rule.id}}: 创建规则后返回的唯一规则 ID -
{{context.rule.index}}: 规则运行的索引(仅限查询规则) -
{{context.rule.language}}: 规则查询语言(仅限查询规则) -
{{context.rule.machine_learning_job_id}}: 关联的机器学习作业的 ID(仅限机器学习规则) -
{{context.rule.max_signals}}: 每次规则执行允许的最大警报数 -
{{context.rule.name}}: 规则名称 -
{{context.rule.query}}: 规则查询(仅限查询规则) -
{{context.rule.references}}: 规则引用 -
{{context.rule.risk_score}}: 默认规则风险评分即使使用 风险评分覆盖 选项,此占位符也包含规则的默认值。
-
{{context.rule.rule_id}}: 生成的或用户定义的规则 ID,可以用作跨系统的标识符 -
{{context.rule.saved_id}}: 保存的搜索 ID -
{{context.rule.severity}}: 默认规则严重性即使使用 严重性覆盖 选项,此占位符也包含规则的默认值。
-
{{context.rule.threat}}: 规则威胁框架 -
{{context.rule.threshold}}: 规则阈值(仅限阈值规则) -
{{context.rule.timeline_id}}: 关联的时间线 ID -
{{context.rule.timeline_title}}: 关联的时间线名称 -
{{context.rule.type}}: 规则类型 -
{{context.rule.version}}: 规则版本 -
{{date}}`: 规则安排操作的日期 -
{{kibanaBaseUrl}}: 配置的server.publicBaseUrl值,如果未配置,则为空字符串 -
{{rule.id}}: 规则的 ID -
{{rule.name}}: 规则的名称 -
{{rule.spaceId}}: 规则的空间 ID -
{{rule.tags}}: 规则的标记 -
{{rule.type}}: 规则的类型 -
{{state.signals_count}}: 检测到的警报数
以下变量只有在规则的操作频率为“每个警报”时才能传递。
-
{{alert.actionGroup}}:为规则安排操作的警报的操作组 -
{{alert.actionGroupName}}:为规则安排操作的警报的操作组的人类可读名称 -
{{alert.actionSubgroup}}:为规则安排操作的警报的操作子组 -
{{alert.id}}:为规则安排操作的警报的 ID -
{{alert.flapping}}:警报上的一个标志,指示警报状态是否正在重复更改
response actions 架构
编辑所有字段均为必填
| 名称 | 类型 | 描述 |
|---|---|---|
action_type_id |
字符串 |
您要添加到规则的响应操作。
|
params |
对象 |
包含允许的响应操作字段的对象,该对象根据响应操作而变化。 Osquery 对于 Osquery(
有关运行 Osquery 查询和包的更多信息,请参阅创建实时查询 API。 端点安全 对于端点安全(
|
threat 架构
编辑所有字段均为必填
| 名称 | 类型 | 描述 |
|---|---|---|
框架 |
字符串 |
相关的攻击框架。 |
策略 |
对象 |
包含有关攻击类型信息的对象
|
技术 |
数组 |
包含有关攻击技术信息的数组(可选)
|
子技术 |
数组 |
包含有关攻击技术的更具体信息的数组
|
只有使用 MITRE ATT&CKTM 框架描述的威胁才会显示在 UI 中(规则 → 检测规则 (SIEM) → 规则名称)。
示例请求
编辑示例 1
查询规则,搜索由 MS Office 启动的进程
POST api/detection_engine/rules
{
"rule_id": "process_started_by_ms_office_program",
"risk_score": 50,
"description": "Process started by MS Office program - possible payload",
"interval": "1h",
"name": "MS Office child process",
"severity": "low",
"tags": [
"child process",
"ms office"
],
"type": "query",
"from": "now-70m",
"query": "process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE",
"language": "kuery",
"filters": [
{
"query": {
"match": {
"event.action": {
"query": "Process Create (rule: ProcessCreate)",
"type": "phrase"
}
}
}
}
],
"required_fields": [
{ name: "process.parent.name", "type": "keyword" }
],
"related_integrations": [
{ "package": "o365", "version": "^2.3.2"}
],
"enabled": false
}
如果规则在 15:00 开始运行,则它会分析从 13:50 到 15:00 的数据。当它在 16:00 下次运行时,它将分析从 14:50 到 16:00 的数据。
示例 2
阈值规则,检测来自同一外部源 IP 地址的对 Windows 主机的多次失败登录尝试,并将 severity 值映射到自定义源事件字段
POST api/detection_engine/rules
{
"description": "Detects when there are 20 or more failed login attempts from the same IP address with a 2 minute time frame.",
"enabled": true,
"exceptions_list": [
{
"id": "int-ips",
"namespace_type": "single",
"type": "detection"
}
],
"from": "now-180s",
"index": [
"winlogbeat-*"
],
"interval": "2m",
"name": "Windows server prml-19",
"query": "host.name:prml-19 and event.category:authentication and event.outcome:failure",
"required_fields": [
{ "name": "source.ip", "type": "ip" }
],
"risk_score": 30,
"rule_id": "liv-win-ser-logins",
"severity": "low",
"severity_mapping": [
{
"field": "source.geo.city_name",
"operator": "equals",
"severity": "low",
"value": "Manchester"
},
{
"field": "source.geo.city_name",
"operator": "equals",
"severity": "medium",
"value": "London"
},
{
"field": "source.geo.city_name",
"operator": "equals",
"severity": "high",
"value": "Birmingham"
},
{
"field": "source.geo.city_name",
"operator": "equals",
"severity": "critical",
"value": "Wallingford"
}
],
"tags": [
"Brute force"
],
"threshold": {
"field": "source.ip",
"value": 20
},
"type": "threshold"
}
示例 3
机器学习规则,当 linux_anomalous_network_activity_ecs 机器学习作业发现阈值为 70 或以上的异常时,创建警报并发送 Slack 通知
POST api/detection_engine/rules
{
"anomaly_threshold": 70,
"rule_id": "ml_linux_network_high_threshold",
"risk_score": 70,
"machine_learning_job_id": "linux_anomalous_network_activity_ecs",
"description": "Generates alerts when the job discovers anomalies over 70",
"interval": "5m",
"name": "Anomalous Linux network activity",
"note": "Shut down the internet.",
"setup": "This rule requires data coming in from Elastic Defend."
"severity": "high",
"tags": [
"machine learning",
"Linux"
],
"type": "machine_learning",
"from": "now-6m",
"enabled": true,
"actions": [
{
"action_type_id": ".slack",
"group": "default",
"id": "5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5",
"params": {
"message": "Urgent: {{context.rule.description}}"
}
}
]
}
示例 4
事件关联规则,当 Windows rundll32.exe 进程进行异常网络连接时,创建警报
POST api/detection_engine/rules
{
"rule_id": "eql-outbound-rundll32-connections",
"risk_score": 21,
"description": "Unusual rundll32.exe network connection",
"name": "rundll32.exe network connection",
"severity": "low",
"tags": [
"EQL",
"Windows",
"rundll32.exe"
],
"type": "eql",
"language": "eql",
"query": "sequence by process.entity_id with maxspan=2h [process where event.type in (\"start\", \"process_started\") and (process.name == \"rundll32.exe\" or process.pe.original_file_name == \"rundll32.exe\") and ((process.args == \"rundll32.exe\" and process.args_count == 1) or (process.args != \"rundll32.exe\" and process.args_count == 0))] [network where event.type == \"connection\" and (process.name == \"rundll32.exe\" or process.pe.original_file_name == \"rundll32.exe\")]",
"required_fields": [
{ "name": "event.type", "type": "keyword" },
{ "name": "process.args", "type": "keyword" },
{ "name": "process.args_count", "type": "long" },
{ "name": "process.entity_id", "type": "keyword" },
{ "name": "process.name", "type": "keyword" },
{ "name": "process.pe.original_file_name", "type": "keyword" }
]
}
指标匹配规则,当满足以下条件之一时创建警报
- 事件的目标 IP 地址和端口号与
threat_index索引中的目标 IP 和端口值匹配。 - 事件的源 IP 地址与
threat_index索引中的主机 IP 地址值匹配。
POST api/detection_engine/rules
{
"type": "threat_match",
"actions": [],
"index": [
"packetbeat-*"
],
"query": "destination.ip:* or host.ip:*",
"threat_index": [
"ip-threat-list"
],
"threat_query": "*:*",
"threat_mapping": [
{
"entries": [
{
"field": "destination.ip",
"type": "mapping",
"value": "destination.ip"
},
{
"field": "destination.port",
"type": "mapping",
"value": "destination.port"
}
]
},
{
"entries": [
{
"field": "source.ip",
"type": "mapping",
"value": "host.ip"
}
]
}
],
"required_fields": [
{ "name": "destination.ip", "type": "ip" },
{ "name": "destination.port", "type": "long" },
{ "name": "host.ip", "type": "ip" }
],
"risk_score": 50,
"severity": "medium",
"name": "Bad IP threat match",
"description": "Checks for bad IP addresses listed in the ip-threat-list index"
}
|
用于匹配威胁值的 Elasticsearch 索引。 |
|
|
定义哪些威胁索引字段用于匹配值的查询。在此示例中,使用 |
|
|
单个 |
|
|
同级 |
示例 6
新术语规则,当检测到用户的新 IP 地址时,创建警报
POST api/detection_engine/rules
{
"risk_score": 21,
"description": "Detects a user associated with a new IP address",
"name": "New User IP Detected",
"severity": "medium",
"type": "new_terms",
"language": "kuery",
"query": "*",
"new_terms_fields": ["user.id", "source.ip"],
"history_window_start": "now-30d",
"index": ["auditbeat*"],
"required_fields": [
{ "name": "user.id", "type": "keyword" },
{ "name": "source.ip", "type": "ip" }
]
}
示例 7
ES|QL 规则,从匹配 Excel 父进程的事件中创建警报
POST api/detection_engine/rules
{
"type": "esql",
"language": "esql",
"query": "from auditbeat-8.10.2 METADATA _id, _version, _index | where process.parent.name == \"EXCEL.EXE\"",
"name": "Find Excel events",
"description": "Find Excel events",
"tags": [],
"interval": "5m",
"from": "now-360s",
"to": "now",
"enabled": false,
"risk_score": 21,
"severity": "low",
"required_fields": [
{ "name": "process.parent.name", "type": "keyword" }
]
}
示例 8
查询规则,搜索由 MS Office 启动的进程,并在 5 小时的时间段内按 process.parent.name 字段抑制警报
POST api/detection_engine/rules
{
"rule_id": "process_started_by_ms_office_program",
"risk_score": 50,
"description": "Process started by MS Office program - possible payload",
"interval": "1h",
"name": "MS Office child process",
"severity": "low",
"tags": [
"child process",
"ms office"
],
"type": "query",
"from": "now-70m",
"query": "process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE",
"language": "kuery",
"filters": [
{
"query": {
"match": {
"event.action": {
"query": "Process Create (rule: ProcessCreate)",
"type": "phrase"
}
}
}
}
],
"enabled": false,
"alert_suppression": {
"duration": { "unit": "h", "value": 5 },
"group_by": [
"process.parent.name"
],
"missing_fields_strategy": "suppress"
}
}
响应代码
编辑-
200 - 指示调用成功。
响应负载
编辑一个 JSON 对象,其中包含唯一 ID、规则的创建时间和版本号。如果请求负载不包含 rule_id 字段,则还会生成一个唯一的规则 ID。
查询规则的示例响应
{
"created_at": "2020-04-07T14:51:09.755Z",
"updated_at": "2020-04-07T14:51:09.970Z",
"created_by": "elastic",
"description": "Process started by MS Office program - possible payload",
"enabled": false,
"false_positives": [],
"from": "now-70m",
"id": "6541b99a-dee9-4f6d-a86d-dbd1869d73b1",
"immutable": false,
"interval": "1h",
"rule_id": "process_started_by_ms_office_program",
"max_signals": 100,
"risk_score": 50,
"name": "MS Office child process",
"references": [],
"severity": "low",
"updated_by": "elastic",
"tags": [
"child process",
"ms office"
],
"to": "now",
"type": "query",
"threat": [],
"version": 1,
"actions": [],
"filters": [
{
"query": {
"match": {
"event.action": {
"query": "Process Create (rule: ProcessCreate)",
"type": "phrase"
}
}
}
}
],
"query": "process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE",
"language": "kuery",
"related_integrations": [
{ "package": "o365", "version": "^2.3.2" },
{ "package": "azure", "version": "^1.11.4", "integration": "graphactivitylogs" }
],
"required_fields": [
{ "name": "process.parent.name", "type": "keyword", "ecs": true }
],
"setup": ""
}
机器学习作业规则的示例响应
{
"created_at": "2020-04-07T14:45:15.679Z",
"updated_at": "2020-04-07T14:45:15.892Z",
"created_by": "elastic",
"description": "Generates alerts when the job discovers anomalies over 70",
"enabled": true,
"false_positives": [],
"from": "now-6m",
"id": "83876f66-3a57-4a99-bf37-416494c80f3b",
"immutable": false,
"interval": "5m",
"rule_id": "ml_linux_network_high_threshold",
"max_signals": 100,
"risk_score": 70,
"name": "Anomalous Linux network activity",
"references": [],
"severity": "high",
"updated_by": "elastic",
"tags": [
"machine learning",
"Linux"
],
"to": "now",
"type": "machine_learning",
"threat": [],
"version": 1,
"actions": [
{
"action_type_id": ".slack",
"group": "default",
"id": "5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5",
"params": {
"message": "Urgent: {{context.rule.description}}"
},
"frequency": {
"summary": true,
"notifyWhen": "onActiveAlert",
"throttle": null
}
}
],
"note": "Shut down the internet.",
"status": "going to run",
"status_date": "2020-04-07T14:45:21.685Z",
"anomaly_threshold": 70,
"machine_learning_job_id": "linux_anomalous_network_activity_ecs",
"related_integrations": [],
"required_fields": [],
"setup": ""
}
阈值规则的示例响应
{
"author": [],
"created_at": "2020-07-22T10:27:23.486Z",
"updated_at": "2020-07-22T10:27:23.673Z",
"created_by": "elastic",
"description": "Detects when there are 20 or more failed login attempts from the same IP address with a 2 minute time frame.",
"enabled": true,
"false_positives": [],
"from": "now-180s",
"id": "15dbde26-b627-4d74-bb1f-a5e0ed9e4993",
"immutable": false,
"interval": "2m",
"rule_id": "liv-win-ser-logins",
"max_signals": 100,
"risk_score": 30,
"risk_score_mapping": [],
"name": "Windows server prml-19",
"references": [],
"severity": "low",
"severity_mapping": [
{
"field": "source.geo.city_name",
"operator": "equals",
"severity": "low",
"value": "Manchester"
},
{
"field": "source.geo.city_name",
"operator": "equals",
"severity": "medium",
"value": "London"
},
{
"field": "source.geo.city_name",
"operator": "equals",
"severity": "high",
"value": "Birmingham"
},
{
"field": "source.geo.city_name",
"operator": "equals",
"severity": "critical",
"value": "Wallingford"
}
],
"updated_by": "elastic",
"tags": [
"Brute force"
],
"to": "now",
"type": "threshold",
"threat": [],
"version": 1,
"exceptions_list": [
{
"id": "int-ips",
"namespace_type": "single",
"type": "detection"
}
],
"actions": [],
"index": [
"winlogbeat-*"
],
"query": "host.name:prml-19 and event.category:authentication and event.outcome:failure",
"language": "kuery",
"threshold": {
"field": "source.ip",
"value": 20
},
"related_integrations": [
{ "package": "o365", "version": "^2.3.2" }
],
"required_fields": [
{ "name": "source.ip", "type": "ip", "ecs": true }
],
"setup": ""
}
EQL 规则的示例响应
{
"author": [],
"created_at": "2020-10-05T09:06:16.392Z",
"updated_at": "2020-10-05T09:06:16.403Z",
"created_by": "elastic",
"description": "Unusual rundll32.exe network connection",
"enabled": true,
"false_positives": [],
"from": "now-6m",
"id": "93808cae-b05b-4dc9-8479-73574b50f8b1",
"immutable": false,
"interval": "5m",
"rule_id": "eql-outbound-rundll32-connections",
"max_signals": 100,
"risk_score": 21,
"risk_score_mapping": [],
"name": "rundll32.exe network connection",
"references": [],
"severity": "low",
"severity_mapping": [],
"updated_by": "elastic",
"tags": [
"EQL",
"Windows",
"rundll32.exe"
],
"to": "now",
"type": "eql",
"threat": [],
"version": 1,
"exceptions_list": [],
"throttle": "no_actions",
"query": "sequence by process.entity_id with maxspan=2h [process where event.type in (\"start\", \"process_started\") and (process.name == \"rundll32.exe\" or process.pe.original_file_name == \"rundll32.exe\") and ((process.args == \"rundll32.exe\" and process.args_count == 1) or (process.args != \"rundll32.exe\" and process.args_count == 0))] [network where event.type == \"connection\" and (process.name == \"rundll32.exe\" or process.pe.original_file_name == \"rundll32.exe\")]",
"language": "eql",
"related_integrations": [
{ "package": "o365", "version": "^2.3.2" }
],
"required_fields": [
{ "name": "event.type", "type": "keyword", "ecs": true },
{ "name": "process.args", "type": "keyword", "ecs": true },
{ "name": "process.args_count", "type": "long", "ecs": true },
{ "name": "process.entity_id", "type": "keyword", "ecs": true },
{ "name": "process.name", "type": "keyword", "ecs": true },
{ "name": "process.pe.original_file_name", "type": "keyword", "ecs": true }
],
"setup": ""
}
指标匹配规则的示例响应
{
"author": [],
"created_at": "2020-10-06T07:07:58.227Z",
"updated_at": "2020-10-06T07:07:58.237Z",
"created_by": "elastic",
"description": "Checks for bad IP addresses listed in the ip-threat-list index",
"enabled": true,
"false_positives": [],
"from": "now-6m",
"id": "d5daa13f-81fb-4b13-be2f-31011e1d9ae1",
"immutable": false,
"interval": "5m",
"rule_id": "608501e4-c768-4f64-9326-cec55b5d439b",
"max_signals": 100,
"risk_score": 50,
"risk_score_mapping": [],
"name": "Bad IP threat match",
"references": [],
"severity": "medium",
"severity_mapping": [],
"updated_by": "elastic",
"tags": [],
"to": "now",
"type": "threat_match",
"threat": [],
"version": 1,
"exceptions_list": [],
"index": [
"packetbeat-*"
],
"query": "destination.ip:* or host.ip:*",
"language": "kuery",
"threat_query": "*:*",
"threat_index": [
"ip-threat-list"
],
"threat_mapping": [
{
"entries": [
{
"field": "destination.ip",
"type": "mapping",
"value": "destination.ip"
},
{
"field": "destination.port",
"type": "mapping",
"value": "destination.port"
}
]
},
{
"entries": [
{
"field": "source.ip",
"type": "mapping",
"value": "host.ip"
}
]
}
],
"related_integrations": [
{ "package": "o365", "version": "^2.3.2" }
],
"required_fields": [
{ "name": "destination.ip", "type": "ip", "ecs": true },
{ "name": "destination.port", "type": "long", "ecs": true },
{ "name": "host.ip", "type": "ip", "ecs": true }
],
"setup": ""
}
新术语规则的示例响应
{
"author": [],
"created_at": "2020-10-06T07:07:58.227Z",
"updated_at": "2020-10-06T07:07:58.237Z",
"created_by": "elastic",
"description": "Detects a user associated with a new IP address",
"enabled": true,
"false_positives": [],
"from": "now-6m",
"id": "eb7225c0-566b-11ee-8b4f-bbf3afdeb9f4",
"immutable": false,
"interval": "5m",
"rule_id": "c6f5d0bc-7be9-47d4-b2f3-073d22641e30",
"max_signals": 100,
"risk_score": 21,
"risk_score_mapping": [],
"name": "New User IP Detected",
"references": [],
"severity": "medium",
"severity_mapping": [],
"updated_by": "elastic",
"tags": [],
"to": "now",
"type": "new_terms",
"threat": [],
"version": 1,
"exceptions_list": [],
"index": [
"auditbeat*"
],
"query": "*",
"language": "kuery",
"new_terms_fields": ["user.id", "source.ip"],
"history_window_start": "now-30d",
"related_integrations": [
{ "package": "o365", "version": "^2.3.2" }
],
"required_fields": [
{ "name": "user.id", "type": "keyword", "ecs": true },
{ "name": "source.ip", "type": "ip", "ecs": true }
],
"setup": ""
}
ES|QL 规则的示例响应
{
"name": "Find Excel events",
"description": "Find Excel events",
"risk_score": 21,
"severity": "low",
"output_index": "",
"tags": [],
"interval": "5m",
"enabled": false,
"author": [],
"false_positives": [],
"from": "now-360s",
"max_signals": 100,
"risk_score_mapping": [],
"severity_mapping": [],
"threat": [],
"to": "now",
"references": [],
"version": 1,
"exceptions_list": [],
"actions": [],
"id": "d0f20490-6da4-11ee-b85e-09e9b661f2e2",
"updated_at": "2023-10-18T10:55:14.269Z",
"updated_by": "elastic",
"created_at": "2023-10-18T10:55:14.269Z",
"created_by": "elastic",
"revision": 0,
"rule_id": "e4b53a89-debd-4a0d-a3e3-20606952e589",
"immutable": false,
"related_integrations": [
{ "package": "o365", "version": "^2.3.2" }
],
"required_fields": [
{ "name": "process.parent.name", "type": "keyword", "ecs": true }
],
"setup": "",
"type": "esql",
"language": "esql",
"query": "from auditbeat-8.10.2 METADATA _id | where process.parent.name == \"EXCEL.EXE\""
}