Add new ML detection rules for Privileged Access Detection

[sodhikirti07]

Pull Request

Issue link(s):

• https://github.com/elastic/security-ml/issues/507

Summary - What I changed

• Added detection rules corresponding to AD jobs in the Privileged Access Detection (PAD) package. You could see the jobs config here.
  Note: Both updates are scheduled for release in version 8.18.0.
• Excluded pad rules from react tests kick off.
• Built manifest and schema for PAD tests

❯ python -m detection_rules dev integrations build-manifests -o --prerelease -i pad
Loaded config file: /Users/shashankks/elastic_workspace/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

loading rules to determine all integration tags
loaded pad manifests from the following package versions: ['0.0.1']
final integrations manifests dumped: /Users/shashankks/elastic_workspace/detection-rules/detection_rules/etc/integration-manifests.json.gz
(.venv) 
detection-rules on  add-new-ml-detection-rules [$!?] is 📦 v0.4.22 via 🐍 v3.12.8 (.venv) on ☁️  shashank.suryanarayana@elastic.co 
❯ python -m detection_rules dev integrations build-schemas -o -i pad
Loaded config file: /Users/shashankks/elastic_workspace/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

Building integration schemas...
processing pad
final integrations manifests dumped: /Users/shashankks/elastic_workspace/detection-rules/detection_rules/etc/integration-schemas.json.gz
(.venv) 
detection-rules on  add-new-ml-detection-rules [$!?] is 📦 v0.4.22 via 🐍 v3.12.8 (.venv) on ☁️  shashank.suryanarayana@elastic.co took 4s 
❯ 

• The rule also requires schemas for sysmon_linux, but this package does not yet have a 9.0.0 version support if PAD is supported in 9.0.0 we would need to get this dependent package updated.

How To Test

Checklist

• Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
• Added the meta:rapid-merge label if planning to merge within 24 hours
• Secret and sensitive material has been managed correctly
• Automated testing was updated or added to match the most common scenarios
• Documentation and comments were added for features that require explanation

Contributor checklist

• Have you signed the contributor license agreement?
• Have you followed the contributor guidelines?

[tradebot-elastic]

⛔️ Tests failed:

• ❌ Spike in Group Privilege Change Events (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
  • events_validation_missing: Not tested with events
• ❌ Unusual Source IP for Windows Privileged Operations Detected (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
  • events_validation_missing: Not tested with events
• ❌ Spike in Special Logon Events (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
  • events_validation_missing: Not tested with events
• ❌ High Command Line Entropy Detected for Privileged Commands (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
  • events_validation_missing: Not tested with events
• ❌ Spike in Group Membership Events (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
  • events_validation_missing: Not tested with events
• ❌ Spike in User Lifecycle Management Change Events (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
  • events_validation_missing: Not tested with events
• ❌ Unusual Privilege Type assigned to a User (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
  • events_validation_missing: Not tested with events
• ❌ Unusual Host Name for Windows Privileged Operations Detected (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
  • events_validation_missing: Not tested with events
• ❌ Spike in Group Application Assignment Change Events (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
  • events_validation_missing: Not tested with events
• ❌ Spike in User Account Management Events (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
  • events_validation_missing: Not tested with events
• ❌ Unusual Process Detected for Privileged Commands by a User (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
  • events_validation_missing: Not tested with events
• ❌ Spike in Special Privilege Use Events (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
  • events_validation_missing: Not tested with events
• ❌ Spike in Group Management Events (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
  • events_validation_missing: Not tested with events
• ❌ Unusual Host Name for Okta Privileged Operations Detected (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
  • events_validation_missing: Not tested with events
• ❌ Unusual Spike in Concurrent Active Sessions by a User (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
  • events_validation_missing: Not tested with events
• ❌ Unusual Region Name for Okta Privileged Operations Detected (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
  • events_validation_missing: Not tested with events
• ❌ Spike in Group Lifecycle Change Events (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
  • events_validation_missing: Not tested with events
• ❌ Decline in host-based traffic (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
  • events_validation_missing: Not tested with events
• ❌ Spike in Privileged Command Execution by a User (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
  • events_validation_missing: Not tested with events
• ❌ Unusual Region Name for Windows Privileged Operations Detected (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
  • events_validation_missing: Not tested with events
• ❌ Unusual Source IP for Okta Privileged Operations Detected (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
  • events_validation_missing: Not tested with events
• ❌ Spike in host-based traffic (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
  • events_validation_missing: Not tested with events

[shashank-elastic]

Quick Review note

• PAD seems to be a new integration that we are adding.
• This would mean we need to pull in manifests and schemas for the same!
• When are targeting this we have a huge big PR for Prep work and a release scheduled this week once we are unblocked by the ML packages having 9.0.0.
• From the integrations part I can help you generate for PAD and we can sync on this

[shashank-elastic]

Post Syncing with @sodhikirti07
The Package is not published in the EPR - https://epr.elastic.co/search?package=pad
This is scheduled to release in Timeline of 8.18 and we will be able to pull the rule dev work and integrations only after having at-least a beta version of the package and the same has been communicated.

[terrancedejesus]

@shashank-elastic - If I remember correctly, we still need to validate ML job IDs in packages upstream. Thus this PR will not be able to merge until that the ML package is in EPR. We could manually add them to bypass this for now, but need to pull later when available

[tradebot-elastic]

⛔️ Tests failed:

[sodhikirti07]

@shashank-elastic Started a PR for Security:Host module here : #4519

[shashank-elastic]

Update

For this PR we have new integration PAD, and we wait for the Package to release add the package to our list of MACHINE_LEARNING packages here and then allow it pass through the normal dev cycle.

[tradebot-elastic]

⛔️ Tests failed:

• ❌ Spike in Group Privilege Change Events (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Source IP for Windows Privileged Operations Detected (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Spike in Special Logon Events (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ High Command Line Entropy Detected for Privileged Commands (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Spike in Group Membership Events (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Spike in User Lifecycle Management Change Events (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Privilege Type assigned to a User (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Host Name for Windows Privileged Operations Detected (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Spike in Group Application Assignment Change Events (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Spike in User Account Management Events (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Process Detected for Privileged Commands by a User (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Spike in Special Privilege Use Events (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Spike in Group Management Events (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Host Name for Okta Privileged Operations Detected (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Spike in Concurrent Active Sessions by a User (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Region Name for Okta Privileged Operations Detected (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Spike in Group Lifecycle Change Events (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Spike in Privileged Command Execution by a User (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Region Name for Windows Privileged Operations Detected (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Source IP for Okta Privileged Operations Detected (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[sodhikirti07]

@shashank-elastic The Privileged Access Detection package is now available as a beta-release: https://epr.elastic.co/package/pad/0.0.1/. Could you help adding the detection-rules for this integration? This package is available for both 8.18 and 9.0.

[tradebot-elastic]

⛔️ Tests failed:

• ❌ Spike in Group Privilege Change Events (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Source IP for Windows Privileged Operations Detected (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Spike in Special Logon Events (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ High Command Line Entropy Detected for Privileged Commands (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Spike in Group Membership Events (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Spike in User Lifecycle Management Change Events (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Privilege Type assigned to a User (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Host Name for Windows Privileged Operations Detected (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Spike in Group Application Assignment Change Events (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Spike in User Account Management Events (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Process Detected for Privileged Commands by a User (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Spike in Special Privilege Use Events (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Spike in Group Management Events (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Host Name for Okta Privileged Operations Detected (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Spike in Concurrent Active Sessions by a User (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Region Name for Okta Privileged Operations Detected (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Spike in Group Lifecycle Change Events (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Spike in Privileged Command Execution by a User (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Region Name for Windows Privileged Operations Detected (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Source IP for Okta Privileged Operations Detected (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Tests failed:

• ❌ Spike in Group Privilege Change Events (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Source IP for Windows Privileged Operations Detected (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Spike in Special Logon Events (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ High Command Line Entropy Detected for Privileged Commands (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Spike in Group Membership Events (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Spike in User Lifecycle Management Change Events (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Privilege Type assigned to a User (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Host Name for Windows Privileged Operations Detected (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Spike in Group Application Assignment Change Events (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Spike in User Account Management Events (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Process Detected for Privileged Commands by a User (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Spike in Special Privilege Use Events (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Spike in Group Management Events (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Host Name for Okta Privileged Operations Detected (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Spike in Concurrent Active Sessions by a User (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Region Name for Okta Privileged Operations Detected (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Spike in Group Lifecycle Change Events (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Spike in Privileged Command Execution by a User (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Region Name for Windows Privileged Operations Detected (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Group Name Accessed by a User (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Source IP for Okta Privileged Operations Detected (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[github-actions]

Enhancement - Guidelines

These guidelines serve as a reminder set of considerations when addressing adding a feature to the code.

Documentation and Context

• Describe the feature enhancement in detail (alternative solutions, description of the solution, etc.) if not already documented in an issue.
• Include additional context or screenshots.
• Ensure the enhancement includes necessary updates to the documentation and versioning.

Code Standards and Practices

• Code follows established design patterns within the repo and avoids duplication.
• Code changes do not introduce new warnings or errors.
• Variables and functions are well-named and descriptive.
• Any unnecessary / commented-out code is removed.
• Ensure that the code is modular and reusable where applicable.
• Check for proper exception handling and messaging.

Testing

• New unit tests have been added to cover the enhancement.
• Existing unit tests have been updated to reflect the changes.
• Provide evidence of testing and validating the enhancement (e.g., test logs, screenshots).
• Validate that any rules affected by the enhancement are correctly updated.
• Ensure that performance is not negatively impacted by the changes.
• Verify that any release artifacts are properly generated and tested.

Additional Checks

• Ensure that the enhancement does not break existing functionality.
• Review the enhancement with a peer or team member for additional insights.
• Verify that the enhancement works across all relevant environments (e.g., different OS versions).
• Confirm that all dependencies are up-to-date and compatible with the changes.
• Confirm that the proper version label is applied to the PR patch, minor, major.

[shashank-elastic]

March 13 Update

• Some small changes in tactic is required I have added the header for discovery in commit, this is missing a technique / sub- tech might wanna check that @sodhikirti07
• Ignore react test kick off for pad rules updated
• Added PAD as machine learning package and updated the manifest and schema
• Once the schema is added, one of the rule is failing with the below error. Please check the valid machine learning job_id for the said rule.

E           AssertionError: The following (1) rules are missing a valid `machine_learning_job_id`:
E           2bca4fcd-5228-4472-9071-148903a31057 - Unusual Host Name for Windows Privileged Operations Detected -> machine_learning_job_id `pad_windows_rare_host_name_by_user` not found in version `0.0.1` of `pad` integration. existing jobs: ['pad_windows_high_count_special_logon_events', 'pad_windows_high_count_special_privilege_use_events', 'pad_windows_high_count_group_management_events', 'pad_windows_high_count_user_account_management_events', 'pad_windows_rare_privilege_assigned_to_user', 'pad_windows_rare_group_name_by_user', 'pad_windows_rare_device_by_user', 'pad_windows_rare_source_ip_by_user', 'pad_windows_rare_region_name_by_user', 'pad_linux_high_count_privileged_process_events_by_user', 'pad_linux_rare_process_executed_by_user', 'pad_linux_high_median_process_command_line_entropy_by_user', 'pad_okta_spike_in_group_membership_changes', 'pad_okta_spike_in_user_lifecycle_management_changes', 'pad_okta_spike_in_group_privilege_changes', 'pad_okta_spike_in_group_application_assignment_changes', 'pad_okta_spike_in_group_lifecycle_changes', 'pad_okta_high_sum_concurrent_sessions_by_user', 'pad_okta_rare_source_ip_by_user', 'pad_okta_rare_region_name_by_user', 'pad_okta_rare_host_name_by_user']

• Now after adding PAD we noticed a new integration sysmon_linux in the PAD rules. Now this integration does not have a 9.0.0 version compatible package, now it may pass for 8.18 but it definitely will block us in creating 9.0 package.
• Even before we merge this its good to reach out to the said team in the owner filed "elastic/sec-linux-platform" for a 9.0.0 compatible package. I have raised similar requests, if you need help there please let me know

cc @sodhikirti07 @Mikaayenson