jvalente-salemstate
commented
3 months ago It also seems like agentbeat needs to be added as well. The other beats were include a while back.
Closed jvalente-salemstate closed 3 months ago
jvalente-salemstate
commented
3 months ago It also seems like agentbeat needs to be added as well. The other beats were include a while back.
Link to rule
https://www.elastic.co/guide/en/security/8.12/statistical-model-detected-c2-beaconing-activity.html
https://elastic.github.io/detection-rules-explorer/rules/5397080f-34e5-449b-8e9c-4c8083d7ccc6
Query
Description
This rule may trigger when using package managers, such as
dnf. As I was setting up our new logstash servers I needed to install python and searched for a few other packages. This triggered an alert with the two attributes.process.name: "dnf"andbeacon_stats.destination_ips: [209.132.178.16, 23.1.8.251, 34.120.127.130]Two of these are Red Hat's IPs and one seems to be for elastic artifacts (when I installed logstash).
Adding items such as
dnf, yum, apt, wingetmay reduce false positives from scripts/admins running multiple commands or automatic update checks running on a fixed schedule.Example Data
The query provided above would add additional processes to
and not process.name: (...)I'm willing to submit a PR for this but before I open a draft I also want to make sure I'm not missing some scenario where package managers are used to mask beaconing.
A more complete list, or if this has been observed at all with them, would also allow for more to be included in one change.
I've only observed this once, but it's also the first time Elastic Agent with Defend has been enrolled as the first step after the initial provision + domain join.