Skip to content
This repository has been archived by the owner on Jun 5, 2023. It is now read-only.

Improvement idea sudden_appearance model #579

Open
maximilienroberti opened this issue Aug 17, 2020 · 0 comments
Open

Improvement idea sudden_appearance model #579

maximilienroberti opened this issue Aug 17, 2020 · 0 comments
Assignees
@maximilienroberti

Comments

@maximilienroberti
Copy link
Contributor

maximilienroberti commented Aug 17, 2020
edited
Loading

Add parameter min_aggregator_bucket with default value around 1000.
It would classify an event as outlier only if the aggregator bucket has a size bigger than the parameter min_aggregator_bucket.
Why? By observing the outliers on production, most of the FP( near to the total ) have small number of events in their aggregation bucket.
To illustrate the idea, let's observe the following example use-case:

##############################
# SUDDEN APPEARANCE - RENAMED PROCESS
##############################
[sudden_appearance_winlog_renamed_process]
es_query_filter=_exists_:winlog.event_id AND winlog.event_id: 1

aggregator=winlog.event_data.Description.keyword
target=process.name

history_window_days=7
history_window_hours=0

# Size of the sliding window defined in DDD:HH:MM
# Therefore, 20:13:20 will correspond to 20 days 13 hours and 20 minutes
sliding_window_size=03:00:00

sliding_window_step_size=00:01:00

outlier_type=first observation
outlier_reason=sudden appearance of a renamed process
outlier_summary=sudden appearance of a process renamed to {process.name} with description {winlog.event_data.Description}

run_model=1
test_model=0

It is worth noting that winlog.event_data.Description, which is selected as aggregator parameter, corresponds to the process description which stay constant even if you change the name of the process.
Therefore, the goal of this use-case is to catch events with process name that suddenly change (ATT&CK T1218 or T1036) while the description stay the same.
Example: powershell.exe with description Windows PowerShell that is suddenly renamed to catchme.exe.
If an event is caught as outlier with a aggregator bucket of size near to 1, it will simply means that a new unseen process is suddenly running but not that a process has been suddenly renamed. At the opposite, if the bucket size is big it means that a lot of event has been observed with a certain description and a certain name and that the name has been suddenly changed.

This improvement is easy to implement and for my point of view, essential to make sudden_appearance work efficiently.
@daanraman @michielmeersmans What do you think?
@maximilienroberti maximilienroberti self-assigned this Aug 17, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@maximilienroberti maximilienroberti

Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@maximilienroberti