ML-experimental-detections-20210804-6
Pre-release
Pre-release
·
1475 commits
to main
since this release
changelog
detections added
URL Spoofing
- Experimental Rules
- 47b1a804-4f65-40b0-a7ef-fdac3c00b00c: Added new rule for url_spoofing.prediction: phishing (model prediction) or abuseurl_label: 1 (threat intelligence enrichment)
Registry of experimental detections
Experimental detections
expand to view
- rules and dashboards can be imported via Kibana
- jobs and datafeeds can be imported using the CLI or Kibana devtools
Refer to the experimental-maching-learning docs for more details
| detection ID | type | relative path |
|---|---|---|
| 47b1a804-4f65-40b0-a7ef-fdac3c00b00c | rule | url_spoof/rule/url_spoof_ml_predicted_malicious_url.ndjson |
| problem_child_high_sum_by_parent | anomaly_detection | problem_child/anomaly_detection/problem_child_high_sum_by_parent.json |
| problem_child_high_sum_by_user | anomaly_detection | problem_child/anomaly_detection/problem_child_high_sum_by_user.json |
| problem_child_rare_process_by_parent | anomaly_detection | problem_child/anomaly_detection/problem_child_rare_process_by_parent.json |
| problem_child_rare_process_by_user | anomaly_detection | problem_child/anomaly_detection/problem_child_rare_process_by_user.json |
| problem_child_high_sum_by_host | anomaly_detection | problem_child/anomaly_detection/problem_child_high_sum_by_host.json |
| problem_child_rare_process_by_host | anomaly_detection | problem_child/anomaly_detection/problem_child_rare_process_by_host.json |
| problem_child_high_sum_by_parent | datafeed | problem_child/datafeed/problem_child_high_sum_by_parent.json |
| problem_child_high_sum_by_user | datafeed | problem_child/datafeed/problem_child_high_sum_by_user.json |
| problem_child_rare_process_by_parent | datafeed | problem_child/datafeed/problem_child_rare_process_by_parent.json |
| problem_child_rare_process_by_user | datafeed | problem_child/datafeed/problem_child_rare_process_by_user.json |
| problem_child_high_sum_by_host | datafeed | problem_child/datafeed/problem_child_high_sum_by_host.json |
| problem_child_rare_process_by_host | datafeed | problem_child/datafeed/problem_child_rare_process_by_host.json |
| 9a2e372a-cbeb-4ad6-a288-017ef086324c | rule | problem_child/rule/problem_child_ml_high_probability_suspicious_windows_event.ndjson |
| a5cb4cd7-ba05-47e8-a815-f95c21719ded | rule | problem_child/rule/problem_child_ml_rare_suspicious_process_by_user.ndjson |
| 9b98d945-2cce-45e5-aa84-4b021af0e153 | rule | problem_child/rule/problem_child_ml_suspicious_process_cluster_by_parent.ndjson |
| ff590871-371b-468f-8cd8-2876b54c53bd | rule | problem_child/rule/problem_child_ml_suspicious_process_cluster_by_user.ndjson |
| ae7c2f69-0c51-4b02-ad54-d3d75023da8b | rule | problem_child/rule/problem_child_ml_rare_suspicious_process_by_parent.ndjson |
| 34184d4e-ef61-477b-8d76-5c93448c29bf | rule | problem_child/rule/problem_child_ml_predicted_suspicious_windows_event.ndjson |
| 415d6863-7676-401f-aa8d-62f59a28e849 | rule | problem_child/rule/problem_child_ml_rare_suspicious_process_by_host.ndjson |
| 86d57ec4-ace5-4456-8145-02e6f0cdd71a | rule | problem_child/rule/problem_child_ml_suspicious_process_cluster_by_host.ndjson |
| dga_high_sum_probability | anomaly_detection | dga/anomaly_detection/dga_high_sum_probability.json |
| dga_high_sum_probability | datafeed | dga/datafeed/dga_high_sum_probability.json |
| 997ec71d-bddc-4513-b6f1-193f601fd420 | rule | dga/rule/dga_command_and_control_high_sum_scores.ndjson |
| 170b35d4-d944-4264-a8ca-3118ae2e1534 | rule | dga/rule/dga_command_and_control_ml_sunburst_domain.ndjson |
| 64116bb2-0f2c-4cf6-9df4-9973452b4d4b | rule | dga/rule/dga_command_and_control_ml_predicted_domain.ndjson |
| a020dadb-3da2-4252-91e9-b0fc148823e2 | rule | dga/rule/dga_command_and_control_ml_probable_domain.ndjson |
| None | dashboard | dga/dashboard/dga_dashboard.ndjson |