Updates to pre-built Security ML jobs

x-pack/plugins/ml/server/models/data_recognizer/modules/security_auth/ml/auth_high_count_logon_events.json

@@ -25,6 +25,7 @@
     "time_field": "@timestamp"
   },
   "custom_settings": {
-    "created_by": "ml-module-security-auth"
+    "created_by": "ml-module-security-auth",
+    "security_app_display_name": "Spike in Logon Events"
   }
 }

x-pack/plugins/ml/server/models/data_recognizer/modules/security_auth/ml/auth_high_count_logon_events_for_a_source_ip.json

@@ -30,6 +30,7 @@
     "time_field": "@timestamp"
   },
   "custom_settings": {
-    "created_by": "ml-module-security-auth"
+    "created_by": "ml-module-security-auth",
+    "security_app_display_name": "Spike in Logon Events from a Source IP"
   }
 }

x-pack/plugins/ml/server/models/data_recognizer/modules/security_auth/ml/auth_high_count_logon_fails.json

@@ -25,6 +25,7 @@
     "time_field": "@timestamp"
   },
   "custom_settings": {
-    "created_by": "ml-module-security-auth"
+    "created_by": "ml-module-security-auth",
+    "security_app_display_name": "Spike in Failed Logon Events"
   }
 }

x-pack/plugins/ml/server/models/data_recognizer/modules/security_auth/ml/auth_rare_hour_for_a_user.json

@@ -28,6 +28,7 @@
     "time_field": "@timestamp"
   },
   "custom_settings": {
-    "created_by": "ml-module-security-auth"
+    "created_by": "ml-module-security-auth",
+    "security_app_display_name": "Unusual Hour for a User to Logon"
   }
 }

x-pack/plugins/ml/server/models/data_recognizer/modules/security_auth/ml/auth_rare_source_ip_for_a_user.json

@@ -29,6 +29,7 @@
     "time_field": "@timestamp"
   },
   "custom_settings": {
-    "created_by": "ml-module-security-auth"
+    "created_by": "ml-module-security-auth",
+    "security_app_display_name": "Unusual Source IP for a User to Logon from"
   }
 }

x-pack/plugins/ml/server/models/data_recognizer/modules/security_auth/ml/auth_rare_user.json

@@ -28,6 +28,7 @@
     "time_field": "@timestamp"
   },
   "custom_settings": {
-    "created_by": "ml-module-security-auth"
+    "created_by": "ml-module-security-auth",
+    "security_app_display_name": "Rare User Logon"
   }
 }

x-pack/plugins/ml/server/models/data_recognizer/modules/security_auth/ml/suspicious_login_activity.json

@@ -31,6 +31,7 @@
   },
   "custom_settings": {
     "created_by": "ml-module-siem-auditbeat",
+    "security_app_display_name": "Unusual Login Activity",
     "custom_urls": [
       {
         "url_name": "IP Address Details",

x-pack/plugins/ml/server/models/data_recognizer/modules/siem_cloudtrail/manifest.json → x-pack/plugins/ml/server/models/data_recognizer/modules/security_cloudtrail/manifest.json

@@ -1,5 +1,5 @@
 {
-  "id": "siem_cloudtrail",
+  "id": "security_cloudtrail",
   "title": "Security: Cloudtrail",
   "description": "Detect suspicious activity recorded in your cloudtrail logs.",
   "type": "Filebeat data",

x-pack/plugins/ml/server/models/data_recognizer/modules/siem_cloudtrail/ml/high_distinct_count_error_message.json → x-pack/plugins/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/high_distinct_count_error_message.json

@@ -29,6 +29,7 @@
     "time_field": "@timestamp"
   },
   "custom_settings": {
-    "created_by": "ml-module-siem-cloudtrail"
+    "created_by": "ml-module-security-cloudtrail",
+    "security_app_display_name": "Spike in AWS Error Messages"
   }
 }

x-pack/plugins/ml/server/models/data_recognizer/modules/siem_cloudtrail/ml/rare_error_code.json → x-pack/plugins/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_error_code.json

@@ -28,6 +28,7 @@
     "time_field": "@timestamp"
   },
   "custom_settings": {
-    "created_by": "ml-module-siem-cloudtrail"
+    "created_by": "ml-module-security-cloudtrail",
+    "security_app_display_name": "Rare AWS Error Code"
   }
 }

x-pack/plugins/ml/server/models/data_recognizer/modules/siem_cloudtrail/ml/rare_method_for_a_city.json → x-pack/plugins/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_method_for_a_city.json

@@ -29,6 +29,7 @@
     "time_field": "@timestamp"
   },
   "custom_settings": {
-    "created_by": "ml-module-siem-cloudtrail"
+    "created_by": "ml-module-security-cloudtrail",
+    "security_app_display_name": "Unusual City For an AWS Command"
   }
 }

x-pack/plugins/ml/server/models/data_recognizer/modules/siem_cloudtrail/ml/rare_method_for_a_country.json → x-pack/plugins/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_method_for_a_country.json

@@ -29,6 +29,7 @@
     "time_field": "@timestamp"
   },
   "custom_settings": {
-    "created_by": "ml-module-siem-cloudtrail"
+    "created_by": "ml-module-security-cloudtrail",
+    "security_app_display_name": "Unusual Country For an AWS Command"
   }
 }

x-pack/plugins/ml/server/models/data_recognizer/modules/siem_cloudtrail/ml/rare_method_for_a_username.json → x-pack/plugins/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_method_for_a_username.json

@@ -29,6 +29,7 @@
     "time_field": "@timestamp"
   },
   "custom_settings": {
-    "created_by": "ml-module-siem-cloudtrail"
+    "created_by": "ml-module-security-cloudtrail",
+    "security_app_display_name": "Unusual AWS Command for a User"
   }
 }

x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_network_activity.json

@@ -32,14 +32,14 @@
     "time_field": "@timestamp"
   },
   "custom_settings": {
-    "custom_settings": {
     "job_tags": {
       "euid": "4004",
       "maturity": "release",
       "author": "@randomuserid/Elastic",
       "version": "3",
       "updated_date": "5/16/2022"
-  },
+    },
+    "created_by": "ml-module-security-linux-v3",
     "custom_urls": [
       {
         "url_name": "Host Details by process name",
@@ -57,7 +57,7 @@
         "url_name": "Hosts Overview by user name",
         "url_value": "siem#/ml-hosts?_g=()&kqlQuery=(filterQuery:(expression:'user.name%20:%20%22$user.name$%22',kind:kuery),queryLocation:hosts.page,type:page)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
       }
-    ]
+    ],
+    "security_app_display_name": "Unusual Linux Network Activity"
   }
 }
-}

x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_network_port_activity.json

@@ -57,6 +57,7 @@
         "url_name": "Hosts Overview by user name",
         "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
       }
-    ]
+    ],
+    "security_app_display_name": "Unusual Linux Network Port Activity"
   }
 }

x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_process_all_hosts.json

@@ -60,6 +60,7 @@
         "url_name": "Hosts Overview by user name",
         "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
       }
-    ]
+    ],
+    "security_app_display_name": "Anomalous Process For a Linux Population"
   }
 }

x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_anomalous_user_name.json

@@ -59,6 +59,7 @@
         "url_name": "Hosts Overview by user name",
         "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
       }
-    ]
+    ],
+    "security_app_display_name": "Unusual Linux Username"
   }
 }

x-pack/plugins/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_network_configuration_discovery.json

@@ -1,62 +1,63 @@
 {
-    "job_type": "anomaly_detector",
-    "description": "Security: Linux - Looks for commands related to system network configuration discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network configuration discovery to increase their understanding of connected networks and hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.",
-    "groups": [
-      "security",
-      "auditbeat",
-      "endpoint",
-      "linux",
-      "process"
+  "job_type": "anomaly_detector",
+  "description": "Security: Linux - Looks for commands related to system network configuration discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network configuration discovery to increase their understanding of connected networks and hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.",
+  "groups": [
+    "security",
+    "auditbeat",
+    "endpoint",
+    "linux",
+    "process"
+  ],
+  "analysis_config": {
+    "bucket_span": "15m",
+    "detectors": [
+      {
+        "detector_description": "Detects rare user.name values.",
+        "function": "rare",
+        "by_field_name": "user.name"
+      }
     ],
-    "analysis_config": {
-      "bucket_span": "15m",
-      "detectors": [
-        {
-          "detector_description": "Detects rare user.name values.",
-          "function": "rare",
-          "by_field_name": "user.name"
-        }
-      ],
-      "influencers": [
-        "process.name",
-        "host.name",
-        "process.args",
-        "user.name"
-      ]
-    },
-    "allow_lazy_open": true,
-    "analysis_limits": {
-      "model_memory_limit": "64mb"
-    },
-    "data_description": {
-      "time_field": "@timestamp"
-    },
-    "custom_settings": {
+    "influencers": [
+      "process.name",
+      "host.name",
+      "process.args",
+      "user.name"
+    ]
+  },
+  "allow_lazy_open": true,
+  "analysis_limits": {
+    "model_memory_limit": "64mb"
+  },
+  "data_description": {
+    "time_field": "@timestamp"
+  },
+  "custom_settings": {
     "job_tags": {
       "euid": "40012",
       "maturity": "release",
       "author": "@randomuserid/Elastic",
       "version": "3",
       "updated_date": "5/16/2022"
-  },
-      "created_by": "ml-module-security-linux-v3",
-      "custom_urls": [
-        {
-          "url_name": "Host Details by process name",
-          "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
-        },
-        {
-          "url_name": "Host Details by user name",
-          "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
-        },
-        {
-          "url_name": "Hosts Overview by process name",
-          "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
-        },
-        {
-          "url_name": "Hosts Overview by user name",
-          "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
-        }
-      ]
-    }
+    },
+    "created_by": "ml-module-security-linux-v3",
+    "custom_urls": [
+      {
+        "url_name": "Host Details by process name",
+        "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
+      },
+      {
+        "url_name": "Host Details by user name",
+        "url_value": "security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
+      },
+      {
+        "url_name": "Hosts Overview by process name",
+        "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
+      },
+      {
+        "url_name": "Hosts Overview by user name",
+        "url_value": "security/hosts/ml-hosts?_g=()&query=(query:'user.name%20:%20%22$user.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))"
+      }
+    ],
+    "security_app_display_name": "Unusual Linux System Network Configuration Discovery"
+  }
 }