Skip to content
This repository was archived by the owner on Jun 5, 2023. It is now read-only.

Improvement idea sudden_appearance model #579

Open
Open
Improvement idea sudden_appearance model#579
Assignees
maximilienroberti
@maximilienroberti

Description

@maximilienroberti
maximilienroberti
opened on Aug 17, 2020

Add parameter min_aggregator_bucket with default value around 1000.
It would classify an event as outlier only if the aggregator bucket has a size bigger than the parameter min_aggregator_bucket.
Why? By observing the outliers on production, most of the FP( near to the total ) have small number of events in their aggregation bucket.
To illustrate the idea, let's observe the following example use-case:

##############################
# SUDDEN APPEARANCE - RENAMED PROCESS
##############################
[sudden_appearance_winlog_renamed_process]
es_query_filter=_exists_:winlog.event_id AND winlog.event_id: 1

aggregator=winlog.event_data.Description.keyword
target=process.name

history_window_days=7
history_window_hours=0

# Size of the sliding window defined in DDD:HH:MM
# Therefore, 20:13:20 will correspond to 20 days 13 hours and 20 minutes
sliding_window_size=03:00:00

sliding_window_step_size=00:01:00

outlier_type=first observation
outlier_reason=sudden appearance of a renamed process
outlier_summary=sudden appearance of a process renamed to {process.name} with description {winlog.event_data.Description}

run_model=1
test_model=0

It is worth noting that winlog.event_data.Description, which is selected as aggregator parameter, corresponds to the process description which stay constant even if you change the name of the process.
Therefore, the goal of this use-case is to catch events with process name that suddenly change (ATT&CK T1218 or T1036) while the description stay the same.
Example: powershell.exe with description Windows PowerShell that is suddenly renamed to catchme.exe.
If an event is caught as outlier with a aggregator bucket of size near to 1, it will simply means that a new unseen process is suddenly running but not that a process has been suddenly renamed. At the opposite, if the bucket size is big it means that a lot of event has been observed with a certain description and a certain name and that the name has been suddenly changed.

This improvement is easy to implement and for my point of view, essential to make sudden_appearance work efficiently.
@daanraman @michielmeersmans What do you think?

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions